Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-dh3tcacfa4
Target aa96cbc9b53138883480cee00d2e6e41.exe
SHA256 0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79
Tags
smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79

Threat Level: Known bad

The file aa96cbc9b53138883480cee00d2e6e41.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan

RedLine payload

Glupteba

RedLine

Glupteba payload

Smokeloader family

SmokeLoader

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:01

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:04

Platform

win7-20231023-en

Max time kernel

68s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9869.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B34.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9869.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\9869.exe
PID 1216 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\9869.exe
PID 1216 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\9869.exe
PID 1216 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\9869.exe
PID 1216 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B34.exe
PID 1216 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B34.exe
PID 1216 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B34.exe
PID 1216 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B34.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\9869.exe

C:\Users\Admin\AppData\Local\Temp\9869.exe

C:\Users\Admin\AppData\Local\Temp\4B34.exe

C:\Users\Admin\AppData\Local\Temp\4B34.exe

C:\Users\Admin\AppData\Local\Temp\4DE4.exe

C:\Users\Admin\AppData\Local\Temp\4DE4.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp" /SL5="$90118,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211030245.log C:\Windows\Logs\CBS\CbsPersist_20231211030245.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\97FE.exe

C:\Users\Admin\AppData\Local\Temp\97FE.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 20.150.38.228:443 tcp

Files

memory/1464-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1216-1-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9869.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/1944-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/1944-17-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/1944-18-0x0000000007740000-0x0000000007780000-memory.dmp

memory/1944-21-0x0000000073F70000-0x000000007465E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B34.exe

MD5 4a875eb3f8d3eab41f6bca197e2b5313
SHA1 e6bb66150ff2cf2c5552588aa0aeacf0268c45a0
SHA256 5546ae7557cfdb4bd925392e09aa8cd29d593314d4d8d0c62ea40f74cd21981b
SHA512 fca0a3f18b94480f3b70392157e0afd0fff05da13239011f40b1b2c4b61d2169edd6baf2244a2fcb7818518c61ef48311553dd7cccb19240f6d3e6dd02509144

C:\Users\Admin\AppData\Local\Temp\4B34.exe

MD5 461c3ebab9fc1d3d085ee5da1001e592
SHA1 9289dd4b9a567ac508b31e309c9974f5f755b00e
SHA256 d74e9d77751baba77e2731cfa140602234c542b51c24559b05a4280c4dc6efeb
SHA512 90537bd4f9bb9229967bac03778d5246a5d8a0e35e774eb39408aea782b9abe253b087b784f7cec231c8c3c3af8fe8655b9bd873cd2fa58a3cbec7e0995b6752

memory/1052-27-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1052-28-0x00000000000F0000-0x00000000015A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4DE4.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2604-38-0x0000000000880000-0x00000000008BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 1177642cf2797fc047aa2e431df702f5
SHA1 8e47b321ebb7b1db639ef06875413a3b6a53a3ef
SHA256 d9d0b19232fcc0ff689302fb6898e22e5f2c12a3bc6000573f8da14ca3f5e897
SHA512 c874e30508f38583996b21bb8779367c8737bdc58b07f3c904d21c15167018c906e534a9fd32acbd32b83ad390a17eaa8088c49eb5b99402de8326aedb6ecaf4

memory/2604-40-0x0000000073FC0000-0x00000000746AE000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ad289d19b88f23b2f0aaf4ca976fa11e
SHA1 3d9874e7e7ba6b45734035d54b4dbcb2be686a54
SHA256 17ff2bc2dd9fe62f57bda8ed764c89502c9f89625075cf53b99feea503e3c9a5
SHA512 bae52320fb6f5d929d525a6a26e4fb1597b8470ab1fc83255817cd7e598a20b0a4cdb42e96137f8d68c0ca90aa8ba3bcb2146e7e5fd679fd46bac8b98ebcabd1

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 14971f481b7062c76d586575793337ff
SHA1 b304d1e004374c6ddacea5d1dd1badfb801ac999
SHA256 4742418697a0dd017f770b3f8d13d33dd9e6ed7ae233561dd0acdb404cbceb70
SHA512 8e229e2a5c45ba626f544db50aa191fc7594924daeaf113a76e8fbd41f6d7685cb3a3780f524a2905cc597d6ab100e3b0c5c1f3ca38001fc5d212dcf984a1b12

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f86cf6200f494d752f253cdbd19d803c
SHA1 acd1d3575c240ba5301566543f6dc0ec3042fd42
SHA256 12b9ecb086dab69a1b1a6528f8828eec4d010eaa1dbcb02d28a7142c3664c949
SHA512 eb642fa24ca69b94c221f5e3cf1b427caf727c524235494683a6ba33aadc5e1f481d5424c1d317000dc94f3a64d8be3cd56caaba3b906a200a344638d06f83a0

memory/2604-44-0x0000000002020000-0x0000000002060000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 072cb6354f92d0787ba915a16f932b3a
SHA1 36c1cc6ff40bdc41987a946e0ce1cb3662b6e035
SHA256 ea32f537593cd818d69117d516b8c8c38de59507dec9c87387f6e89f8a16e623
SHA512 92d4c3856604bf64d610dd6f0d4483f6d98958b1562341e971a8a20bdb8361c57074fd0d6e138f9389d97506d1dd855ea3ccb0bd8d46184fc310b185b0b8a74b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5d5bcb3384713386b7856e32c73f4282
SHA1 56f411ee92f1f352b62c6a5cb7c56e104e6ce136
SHA256 2ffaca3ff0238251c319b5b9213062f70ec1c3f7f581202c9922e72cc4674c64
SHA512 44c9f6bb5d31187b14739ef61304934783c136e8adf9826285859c51214e67b2b9d35bc68b602359153b59f704aa3310550f7b42628a42cf1da6e8c0367f1df7

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8ebf66ed4d6f5d5518a786683cec8f9f
SHA1 a8f844ac07f8178ffcd8efd1ae413bbd6b049fd0
SHA256 ffc5e3d73d3a8e3a3d788a8eebea9c3e88d95ee54e4809e73ad52217cd3c1d7d
SHA512 fad67759d4dd19a1896dd36aff295aedc412dc2c95af0f2130b8099cfb3fb43657f38de20a811e5b34d0855d793381671b188bbbb51b3e8edc017e2b55a9dc70

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 63009a68d0950b2c2a1aadef3def223e
SHA1 8dbbf6c5274ff6f2333a938800b6c5c11c1651a7
SHA256 19df0d1baeee7814422853bca0e0a58587fa5b57b3efb23ac9fc698609ef6bfd
SHA512 99cc107c5e317c020e24388c89167ec6f37cc2ca2dba392c245fc6037816d4f63a49738d3d750018bd5b1a5bb13ccfc68bed65c656d50a5e85dbe905efd6864f

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 63a431b1aa1cbd6b34033bee5c519229
SHA1 147767e6c65e26226dcb07dc36898669c431a351
SHA256 298a029ebdcf1d60fcb250bea2abc4c387b2fead7b4169fbe7055a1bcae9d875
SHA512 b8145471f71036e3eacb75bd91bd080fc3c7a931b65d7d8a5bc5dba3eb4f48185aa0b16e9599a38385f32bd07704b55121b3d56cf90f95283e2bc8170a2fda05

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d659f2336803753a3b4a5850c1f2a61e
SHA1 2adc1088d335bd8396cdddbba84168f80d0747c0
SHA256 a7c221856da6a59db574ee50b9d2071a601b61db4a50c996f17e2e18b018fe6d
SHA512 d7237e17ba31c14e8defa9cdf07bc5556c3f5e06aef795f9b39db9b01ab70c771703a717a289e709a518de4710bde0427c48bd5f179d72713d51fa4f441229a4

memory/1936-74-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 06f60fb2ef4253b1f2056a13f8c23935
SHA1 478442ea8396c1bf1fe498aef41477d61b961547
SHA256 5ff5d392e258ec946c2854d2c9793e956d5bb444bc9199209646cc276b1ff6a6
SHA512 76aa39a89f6433359b31b562114e55b4e8ece593f45722a7cd869fd65a58359423144f63af0495b052078c47b7db9ecc95dfe756ec8f1402b73373392ada2b2a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a9eccbd1034678a4cdc39bf412b688f9
SHA1 11c16ad6f390256afce8509f3e88ad210223997a
SHA256 f1e3f3cc4e3bf28658d048c5807d79024b45262555d3f6011aec5ce67bf40c71
SHA512 7554a6daa4ae86de0ef853072e3d9dd7f43e76ddf6a9b540c4ff44f96007b25b5e0a1b3e3e281e39a44a32512fea2e7638d71db3d5e76c539a94283cae20ce6f

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b8cf498ac0af62ed0192294e399f6452
SHA1 bbce0afcfc1691cb4e7deb4bb978f8e7539943be
SHA256 1f0d23231ce495cdb366dceae4891ec31b8aabdf0d157efead2c2c4d4a07af0d
SHA512 1345e6294fec0e626bc2a1b320abcd7d11efbe33f2a406e7ffe5c059cbcce0a0d9dd93f1c37a7debb70068b94152559ad34aeb95ffca67de14012c27e48a27aa

memory/2136-79-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 05886774af294eeed78667daed46d853
SHA1 0ff5ff6ef2c339d8f8c1e25ba3d8f3e3fafd60a6
SHA256 c6d1db6e7fca2ee94f5f3272e80078d821a46b8dcd34bf46eaa67f7ebc9291bf
SHA512 cd897c55d02102002fd06725d17558f7b88433f57e2633557c0fdeb91eea06b3708885d0d534dd1acff4bb12e1185d55b4db6b2d6121225cc80f1dbdf6640b90

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

MD5 faf37780b80332d441d02a7e26e2c96a
SHA1 247226248a0ac167a2f4b25bd6e50ebf00890e3c
SHA256 7314f22299ecceb3bf6e3bbf81e04f9b8ad512ba9065aa3237c6918d5342bb85
SHA512 5e4414961909904fe261dcac79aaff46fe25eeb8e1fbfc00bb1b94ec8f73086f51af5dd2f789c44e653671c6026fcb2a627cbafbcabea47162ca963c14007448

C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

MD5 fe5a53ccca0d99dc5308f3a5df0d426c
SHA1 0d0cba649af01c93ed89cb77a945e51225d27214
SHA256 6cb952f13d4bf199e360eb24afc9b2b48517951710dc364808365a4761b31b61
SHA512 e691f6f565806a4526f868721b7b612c3297102f8dce982b4060107f019a45d5c6bcaeda82ffb0e8ec0e2ff0f2afd7211bbcfd48f50ca3b5a240dd569a695fb2

\Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 b3ee5b12f915d23a16ab60aa658ffc55
SHA1 eb7e76cbe53eab2b53fd2df73a997f7f0d9b278d
SHA256 6fdf155a1d7f9c5b2305b4e39347c7e30d503d5052ead22ce48d4573504b813e
SHA512 6fef588f129e4deb314d84a3f9c368f65ba54f9dc87ce16c5e818ea83ca8e029cfc2feefa9c6f0fe8b6345447d17769e393ff1840d17547485f7aff645f19e5c

memory/1052-103-0x0000000073FC0000-0x00000000746AE000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 086a4e6f0e69edd786756b55cc3dece5
SHA1 a43aedfc2efd7e15f413bfdbce1c32382bde94b0
SHA256 f1681752a22480255690b2bfc89a83a0f170ee61fa2916819af20a342f98f6e8
SHA512 fb2a4963d2b675ff9e127b03ffa67b76a5583255fcf396740c95708a1edb9e7cb90440778ab020cb336d76b8ec98c65a83611f7f81f6967b9247b0b7bc42864e

\Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2212-89-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

MD5 b3101acef672de20bfdf289831d417df
SHA1 55bdac3cbe4d1bf9a1ec2931f8b33c69f0534465
SHA256 5e66b081ca5dd4933beb8fb303132b2b07d9a91222fb40f4abd9e296e7757a98
SHA512 37af58b427dc3bea188bab6f0ed903b607e9785a8a39f7ec63e50149eeb843cf0e584f4c6f0db4569e5c903ae9469fa6f535d6f2bfd7ec454c15f691e2bbb98d

memory/2072-114-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/2072-116-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/2072-117-0x0000000002A50000-0x000000000333B000-memory.dmp

memory/2072-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 653a6d9615b6b9ac863d01ddc6f0c3fb
SHA1 97b245404ebf7a39d2314980ea80057d2e63b356
SHA256 764aae9f89a867aac0417d98c8b11baadf4d7ecce096a3696c3d10d13c258ef7
SHA512 72635ab631f89ec6450d1e2d38af909d8fdcee72d9e1f5adcd23bb3606aff121395a6a152377e8154e517775e8c0fd6124b45d59c9e44e67f8da6166bf954b0a

memory/364-120-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/1996-128-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3853b0e25d668535f82213dd99a5b948
SHA1 d303667679c997f9ea72134067de271579e99f41
SHA256 d72834ede42cab598bbc58083e2bc7de2389d53ed0bb67233cc1fdab2e330a89
SHA512 e38965188bee24f387004438e82c3f48a2278a9e8edab85725e261230b597890e15850b911fe92db40e8ba5217471da81c9ff472cae178e5c6f4632144a39623

memory/1996-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1996-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4ee506a6edf0bc61874eb6fc4316a75f
SHA1 4113b714cf6cb7024c8c357dc0ca1007049dc0fb
SHA256 b4e3602a5b1ca0070240aaec3a925fab39a25c9f85702971db2d6aff7e79e0cd
SHA512 02bf33df67049cb65ab0fd1379e6d6a485f3cd6e1010d1dd1f915af6df03b60dbdeb2c0839b2568992518d5d5fca3350aaa8d4787c8b5b9e34f19901d4b5ef53

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4c6c21fde024c715455e162252f56ed0
SHA1 d2f47b3702202118a144e3b79f8b4246751ae2a1
SHA256 b18feac48194921b06144cff0fd1773ba8ff34a4ccf6bed1eddea3f1fbd1d721
SHA512 74a5d14042ee2e7a2c4899a9b4097d4ea84f719500b1f7979211d7f5e80d79116a3704f0317a899f03caee2e2e35f9e5dd6c9ec7866598f214db3d94e2af504e

memory/364-121-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 490cbf4f78c815da77b5b324b96573b7
SHA1 435fffa97177ea3e6f03ac5178f2717a911eb381
SHA256 3a2f9de8544e0f8e4e237748f8324768eee628185ccd162681ceff4346b86f65
SHA512 c936db9345fb0c583bbe8c6eb2014cedf4cf1927df2ed72ae7bec183056ad56f16eaf9c7e4e434acdaf50dae55c4ccf782c0912b797dee84de8cba406b86e6f1

memory/2072-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2072-131-0x0000000002A50000-0x000000000333B000-memory.dmp

memory/2604-132-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1272-133-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/1216-134-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

memory/1996-135-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2136-139-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1936-140-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2604-142-0x0000000002020000-0x0000000002060000-memory.dmp

memory/2212-141-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2044-143-0x000000013F7E0000-0x000000013FD81000-memory.dmp

memory/1272-144-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/1272-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 345be50e2ba05b6ad28a2c2015a5f0c3
SHA1 97d98403ff1437790c6c023f8269f12c26b042b6
SHA256 5e9e90227a5899fb20260ba2d650e29b65659e32a8a45f91d31cfd9ea3d84f13
SHA512 43d6eeb1762c497b9155281a01df2a914c2646464477541a067c436cdb9a73e7736b3a2b544b55c8cd701070b835ddfa543f3148cbd549e65ddc4086f189aaaf

C:\Windows\rss\csrss.exe

MD5 20fde3902aa1580a54b0b19b6f024974
SHA1 85718aceb75afe173ec1edff15bbf11eabea48ec
SHA256 4201f2ddcce714a9f9f5299417e8127f3a0d4bc59cbedc30c8b50971ac1ac16d
SHA512 b52f2f9fdefef676036f99543f5c72a7176e5087a2b4e27713b21fc7e29d0b3691208ed3929f82b5b994cb776e9bf5f6ca89659f214105650f0dc11bbd523d21

memory/1272-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 c69ea50075cf2d708cb00fcfdc7b228e
SHA1 32113495418e2e7c9c73fe26f118f774da48e3d5
SHA256 baec7ec725bf6c8b9b5b70fa68775e928a9e4c3ea3f955aee11cd5f989cfaec3
SHA512 aaf5b1000e41b232b76d39e5141ed1657df61fd49adf53ef1ca605923b85a1a6d362d3600045d767572123b3ac97053df0fadf8e5c8e9686504eb56aa69f9e6d

memory/2604-155-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2136-167-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2624-168-0x00000000027F0000-0x0000000002BE8000-memory.dmp

memory/2624-170-0x00000000027F0000-0x0000000002BE8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 145efcb1fca25f73bd3e210de720c6a9
SHA1 a82319c4b3f7873e8c208c9ea9ccb48f0032260d
SHA256 c8eaeb6928c3e1b18e4b25994bb4ddcede51a55a4ec47a9e814ebd5599a6deef
SHA512 4de575af4db91b504d17804280dff8e85c52429052a448132ba8ba31314fddde338ed46eed20ddf4cde9af4b81ccafb3c9fdde4fb94bdacc81aa2843e63c2c79

memory/2624-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-169-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 14899bb280b156e4ca42a95df5724e36
SHA1 47dc380d86b9b6b654f0c5dd25ac363e62fa6147
SHA256 48c72dd6c6350a8cc7b7e8b690718240b701c44b77a82e8af8a1dd0550ed314d
SHA512 b1fc5b75e4ab585f4c9d611aa515e15dedb9aebf6edfc2980dcd9801d9a2ba5a1923761a344ca141bc4fd6c20be247d0f48cfcbf6aaec52319695362853ff644

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 7fbab40305099da1a29a7244cf2ceec6
SHA1 8fbdec46a8aacf36f27285dc1614ea5fa601b1ec
SHA256 9854a36359c3e7e591d17cbe31fb5fd7ccb33984166dc57f1bf32411cf2c35f7
SHA512 55600f4d1b4270f4bec08a88f099bd6f5e4291bfdbfa19c7fb1bb5cb74f672c320cdf38a26292e6d2eabee2f59e4578f7a34058a5091888a901f407de976158f

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 8a2b307b3b29e7f1589055d8a1995981
SHA1 c676cef29e91e921e192b27c460cb6c57453f929
SHA256 911f4db477e737aadcc5070527751a7a019eccfb88556f779d5046ca1f60760e
SHA512 558a0a7d97efe3bd24861016e9c01e3727b3d9c250a37e37aa1baa0d36df43dfabb45472affb43950178bfc3d12e7381b75733c273db2d52643338e57492b3d4

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 894e5be94497dc2a4e7234606c470fd9
SHA1 33cff98a477467fbda39f09e9898bc95d8a384d1
SHA256 9140c147f571d48cf893524b8db5bee41e6614fce6c4ab598b3b8142e3500b4d
SHA512 35e9bb5011ce6d426d1fcc611be99e8ea8d27f932f9290cef0c9d205647e595278356e34531ccc0438d49c45b7623e2e0ac9af5cc90137a52df438c52b83644b

memory/2992-183-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 6ecca294795a99700300ab0f040e27ee
SHA1 f29b9cf5b360eae1ed2484f2b0921d583de6aab9
SHA256 5b8a789397ed95db15c6533d5d1366ef05484757c1cc17f7476924e7a56b8b3b
SHA512 045a330f52afb955509fa040b7824640ca1e0ba8aa78beebcce5938f1010fababd0dc58a6dec10b7af1ec1f73cfb494406ead644494a69f21842290ca97dacad

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 f35d3db92eeaae158ce7a3968a14efb8
SHA1 dc79375693220b702f188812f6f27188ce39181a
SHA256 98e3483cf55dd294d049f221da621e999774542429e1a8e2618908fdc12705a4
SHA512 57b0520dad1b96aeb9852254a37097126bf99bce31849a575fbe4d31044f6088285ee364dd6f21b0f4e7f922b7d71d68bbaa855d0b2f654e30750c7cdb610389

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 35c8d6357dfc8f991502c65375a29dcd
SHA1 014ea155264cd2c365ed0d52408a2f6c9bb9703e
SHA256 567d11655d1196e65d10ac905da5c35012679a18832841c7b27c71df1492ddd8
SHA512 d000359ea4f59aa0462df9d9d4fce4960f7c325c2f7ae04af605960c8ae1828aa9ccbe6227096f2808ba0999bc5667fd90da7c6d7f8d1ec4e7626c9ed622e4c0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 45dccb1b8029477ab402875fdb88c515
SHA1 b66b74d03844ab0196d02b50ede92767495ea526
SHA256 86b3d18940d18cdbe793397df62bfe65985ee1edb792bf2d4e411f0af5d4ed8f
SHA512 b7b5a51b922e6725700aeefa19645c32941a34856308018aaa0451e4d5172370354e9e7fb9674124dc1a7f6040cd2b61f82a0a192984f156c43702ee27c27154

memory/2992-192-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 8641c55ecd048d914a89425fa77f33f8
SHA1 2409eef9c6e628ba73385c97cf0b7cb5415e4e8f
SHA256 e583efc7e2802726c4eb36261e783568e570b55f34df58d373c30232a02826b0
SHA512 548895ec69d1b438d1fa02d03edb06a7c49113a8c052baf3555b28150285180fd4509fb95665a3756eb97cc0008903d14354412a67f6136286256afac05cc35b

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 fadf512f1858a17c683d4daf66a558ef
SHA1 7e8d5ce671b60864f6627c61036f63d2c08a55af
SHA256 02842ad9fd4b661127b8c9c24030c0aa24b84e06b2f526d22d382073d2cc0b3b
SHA512 e87770e1882cdd2fa6815c770d6bf495f259257ba0a5a2260a6d80f38fc27346a2ed216ed04904a05b091a1826f7fdddb6b9d8aa85e1a6343265a2b08054463a

C:\Users\Admin\AppData\Local\Temp\97FE.exe

MD5 30af8e48cae56a2228154de349f736d6
SHA1 de143f1d7632547d99df44ffa414f5457e8597fd
SHA256 c4391be2f2c7fc30aa7696e3bc9727387cc024dbdb0ffccc3a37753efb438af7
SHA512 8094e9cd487522d6a3841de147fca15ad6d56e5d6ebd5f1e9214aa1f95824dd6a3babd8493b2201ee672f9e36b170684a212463ba1de580360fe6e89bb941760

C:\Users\Admin\AppData\Local\Temp\97FE.exe

MD5 780d6aca8db33507e72145129c6b2a90
SHA1 4c626aa92eb1f701d38d81e4341f8fb4ea44c74f
SHA256 dc8e21fdcf599815cbacada8d15f003a78d62e2893611b08282d44d58d250330
SHA512 54d56a1594974d0d8867954e5c650311e282ae3bf9f4d1783e65aefa051b0ccee82804aa6d3e898706c1db41d67ab2b7798c6ac5daef61ba74691eeaab66ce2b

memory/2092-216-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2092-215-0x0000000000840000-0x0000000000DF2000-memory.dmp

memory/2092-217-0x0000000004FE0000-0x0000000005020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9974.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar9AD2.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:04

Platform

win10v2004-20231127-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F06B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E7DC.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F06B.exe
PID 3172 wrote to memory of 4200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F06B.exe
PID 3172 wrote to memory of 4200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F06B.exe
PID 3172 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A9.exe
PID 3172 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A9.exe
PID 3172 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A9.exe
PID 3172 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7DC.exe
PID 3172 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7DC.exe
PID 3172 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7DC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\F06B.exe

C:\Users\Admin\AppData\Local\Temp\F06B.exe

C:\Users\Admin\AppData\Local\Temp\E5A9.exe

C:\Users\Admin\AppData\Local\Temp\E5A9.exe

C:\Users\Admin\AppData\Local\Temp\E7DC.exe

C:\Users\Admin\AppData\Local\Temp\E7DC.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-VVSTO.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VVSTO.tmp\tuc3.tmp" /SL5="$80090,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\37B3.exe

C:\Users\Admin\AppData\Local\Temp\37B3.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\5994.exe

C:\Users\Admin\AppData\Local\Temp\5994.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp

Files

memory/3308-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3172-1-0x0000000002770000-0x0000000002786000-memory.dmp

memory/3308-4-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F06B.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\E5A9.exe

MD5 086d53c745cf546ff5ce2707a97f8a41
SHA1 4643d6f98616748a22b63bcb21c9a5a7e6b82ffe
SHA256 e782202bf2185ce63dbfcc5dcd758ca307e8d1d6cf3094fc2a6baea5fa9f1ebc
SHA512 74bf6b65a53b26b0d5b3a69f671e0a50435dfd4d82dbf42ceefdf8d178f4816a78e7f00f56f88b2966727bdd2f2809b5bbd46a5785335aa9bd9d34f4796aacfe

C:\Users\Admin\AppData\Local\Temp\E5A9.exe

MD5 c9b71bda245ddb46cac7abcfb596e330
SHA1 17064ceea1784849213719aef3ef6c19a6dbab3d
SHA256 90f6db1c8e5767a39732cbab8f84ed7aa59d5acf5bece58e0a45075ce16789d4
SHA512 476c86dd2e8ad894600fa1d9400e8be1efc2b07d1f229bfa4884039bdda87d4de78a016abf1005682413906ed8bff7dce2b9bcc33a97fcd9ce568f5338d88a63

memory/5000-16-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7DC.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1940-21-0x0000000000D40000-0x0000000000D7C000-memory.dmp

memory/1940-22-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/5000-23-0x0000000000D50000-0x0000000002206000-memory.dmp

memory/1940-24-0x0000000008000000-0x00000000085A4000-memory.dmp

memory/1940-25-0x0000000007B30000-0x0000000007BC2000-memory.dmp

memory/1940-27-0x0000000007CF0000-0x0000000007D00000-memory.dmp

memory/1940-28-0x0000000007B10000-0x0000000007B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 16f9382285c8e7ae162f532ff62d1df9
SHA1 2b8f260f8166141c57ee8b3fed83880871cfae9c
SHA256 7503806b4a55325b47c2e36e6e85e33c986799d5d1b58af6de4c19b2d7574a13
SHA512 7de6effb94a6a0148931de6fff611da5f248dd5c1218d75b4733bb42c44f81fba058c2322ddeee695bcab2e69fac541d7f3d9dc4faddb4a6fc95355a52665836

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 743ba0b9097d54eefebe61bc516d39a3
SHA1 a360a3dd8cd2105b34eda1c0de596f27aafa088c
SHA256 8946a77979097ab2c9cbe59f1d06de98cf244b5fc3b95ee34cad9f2aa48fa188
SHA512 f6bfe8b739b13bcfcd84a2fdab05279fced57b35f46b1788cf469cbbebe24e04b5c7f8c19f6fe549b5cff107d9e521a06b962d457e53bcdab9a0b20a38dae868

memory/1940-38-0x0000000008BD0000-0x00000000091E8000-memory.dmp

memory/1940-43-0x0000000007E60000-0x0000000007F6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 7df325c4147c496d00801eddf2af7488
SHA1 9ea369907a3cafeada269125420bd6163d007545
SHA256 1dc4dda73c9d8a1d28cfbb49c9fab0931593a1dadbca2510a1247f75043b0136
SHA512 4371beb9350643bcdf9ab9678f75b8a10037c7b9360a688caa7114ef92b86092e22bfe1cef35456f723d15c95773ce4eb7ec9b74e037e3d879e6f41a48a76115

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 9b4e31a96c8294fc2ac1bfa52302b7ce
SHA1 eac41856f4bd17419acace248e96fdace116b57d
SHA256 a2145ea4033d7eb8404ad003efc4bcdc63f015b907f3a3d035fdfce4b19e149a
SHA512 3da74a1ee978bbb48313e5163cb82e155522ad10897a23a6bf3dc739be0bf3c530310dd20df8f7e3cc53c1e8f38b266b93770aeac9811a4bc6ead5150dbf02d6

memory/1940-48-0x0000000007D90000-0x0000000007DA2000-memory.dmp

memory/1940-50-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 573841a9dd333e7ccfc1658197e913c7
SHA1 9262273fabd7d15935ce9a492e85cbb1d67ab8ef
SHA256 34ef41a5698c3505d14da9e5bb452377b21339bbc82b7a333b5c406b7b53c39b
SHA512 e2ada627de1a697df02713eecc0f82a9bccc240616b1d54e763d92c405575bd723e3b1b4b566376b57b1eb53744addb9e4181d73ec293d1148b34fb656b1959e

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 f196bfd846f3b655cd9fac927a810a7f
SHA1 8a0b660ea0e5c95c9b587a47cfc6982fc56d7b13
SHA256 359e225b204fe9725567e57919d830f9c51d8ec4a21161352c5d4c701a9167c3
SHA512 166377a0d4a48ff510314c59cad8dbdab335caf41c186332fd42a745c2acc04a8029d226960c5fbb2ce0d4b2344fa94218f366c83001e1b30ec324b4d63076a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 bf408f727701ad269d8f47dcb41551e0
SHA1 8935e51b37e3022a6d291f0176a2b86a56de2067
SHA256 f7fdec31dae582fe5f6a3f439e1a31a797881ba10333bb87fd5abb4ca21b7823
SHA512 41b6ae4ea098b0b2b9d68fc215aad26c93a12b23b8a811fcb28341b0ba3672b654ff2b0699f9ec9cb035849d6d112757d0f2c7c2caa76721c2866e3211f2261d

memory/1940-60-0x0000000007F70000-0x0000000007FBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3b76a6b99f93ee31db15fcd1fc076427
SHA1 630e42a8d2c93edcfffc029b8dd56bda38592720
SHA256 22ad962ec0cc40abf54148b2ec15f12c9c4fd73e5643587d60fec864ee8695f0
SHA512 4654cbc6e0a57e750b56a7f1b333314cdc109c05445316a5e96b3361cdc37a172a8d263640e76aab3c5e6ba66384c7831a06dc51637caa2e27ae6daa26cf766b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6036d595e66c418177d0b61f9b780579
SHA1 7c4dd1f610688c0eed39b5843f5fc9c9923dc32c
SHA256 a387a0e6e315c847cd0f81fec8311fd703e77afe9227c3d5176fcee9d120e761
SHA512 7c83986c49670553279e2288b54025d61902cbe899313c5d862e7a9618ec5143b646b4b9285b3173256f4ba96e4fa2e8084b88787c7e63c144574bfc6f6a39f3

memory/3680-66-0x0000000000A00000-0x0000000000A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c6f24fc561dc941eab70134992683088
SHA1 a83ec07289104d5adc6e6d5d3b50328d96d88167
SHA256 6c5bcaed9d3ff6eb202b9e676d2fdab0846aded6c7a7e98bbed3dc3eeab7540b
SHA512 3faff8c3ce0bb833dccd1967de57d4663fe4945b632d8f0203d04f1c4b5df40f055299b7bb4c66e374b53462bb706f2a7d48619b1472f016bd10df4c3299df36

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/3236-76-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b98e8942ad94d005e333d7a41c5738d1
SHA1 4db0ea74b58fc6e853b0cbee933dea67307022b6
SHA256 f7fdc6c66842eefa905c605e6248adbd8b49ab8bdf85904b1708101d9003a6c4
SHA512 7fbe530ef768a9b395aa2cb639fb4a4272ab03e6cd27a96194257f227385b49836b872005c71aba9e74c3b152d41cfa1917c99af531226e29da336e52a2101f8

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c4fb44e77854314d7a52fb421c3783ce
SHA1 c9f88f32e66a54dab8168c0ce4aafafce2096280
SHA256 22a7b86d92ac7c4e5c806342ff57796641a17103f899d900d9962d9fae54cf59
SHA512 cc4e37fbc2a913986de08e0bd43bdf9a6434c438786183a22c5091cf94815eea9fa920be9130a387801360adcbdb21d524a44d98f48dbe2f2cf945e700429aa7

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 c6f2e00f4e2a9799b885562a414abe19
SHA1 21e07b589f14fba65db367b56216b227a987c29e
SHA256 8b97283f06e1ce2cb10d71bcb3d90483f93aafa16a284301900094a60197f1f9
SHA512 6a9073247bd39b3d64d780427c874710c21aaefa207fff6a722cc4d1c6747aa012fdaed89622229e1f58c19ccef93e36f340491d67a1e3b706a3f478de3128e8

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 7430b67c06267338d01c9741bf59bcbc
SHA1 42d35a6aa80397fa52c7021e80673161a77d9e4d
SHA256 81d2c39dc4a7672735bf1b95cfef5307f9ad61e32b99ad43d605591294ff1fe5
SHA512 91b47156e3e4d1a7d175d8c501d6caeccf80f564eaeabfbbdae9d5b86831b2f4b1dcea999c8a4f4ce75909568f3c45ce928d4b7e83da27cca4d8016c4f73117f

C:\Users\Admin\AppData\Local\Temp\is-VVSTO.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/5000-88-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VVSTO.tmp\tuc3.tmp

MD5 e7d00ef620a2cbc5f6f62264c942d2d4
SHA1 d2946d296001e76c65a3a6f9b54a385642779773
SHA256 3ebff358063ce78c33a4cb0e22804fbd47702dc930f6cee75ce32d62cceb638c
SHA512 0571f4b99d4df8d505a9cfca4fad8982a3e865c68eb52eda97c38933a750d437b70bd8ca60267f8f48f45b6084091ee5f7cb203d05b0eb2971b3cb0f279d3563

C:\Users\Admin\AppData\Local\Temp\is-N8BBQ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1392-107-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N8BBQ.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1188-239-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 f95dc4eda7bac50fe4c040592b3c13fc
SHA1 6f9a10433cc72a6e410d933f5ba80b6b1c12699a
SHA256 2560a4d2cc7e613c58d8decccc342b0c0be454798cae1c0415abfa06d6c1472e
SHA512 d76c6647fdb7535db2b64065bce3b8a7c171e3b14dfff0ed11a3f1a9ab06694193b6df3a8f774c8872c469d17cbdc7efd439918ddf2e4a1614e7e2c9c611be8c

memory/1188-236-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3844-242-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 17d96b5c8f169989dc9af5a4cbaa7c92
SHA1 3e29a57d9cd400dc72e63c534653fd56244d840f
SHA256 5229a31c2c8264c10826162dc0d5cfceb72928cca2aa461899a9228c517ff6f5
SHA512 f3e71043c9b86e707cdb14b49a567a50a70f28eb641d44f1431b50a65dc686313d752fea0d1524ab8888a6cfddb523fcaffc8d70fc426be3e5fe351243e32566

memory/1188-235-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3844-244-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 9d790289911d4ec97d6fe886f3214e38
SHA1 60621e49ad7a65a1bd579ea242283478ec46418b
SHA256 ef67c0df9299e547f88e6a74ae90d562d5422c2bf1db07a70f545afb6daa92fe
SHA512 0bc4db8ede927b3c2a0200d86fefad6337dc31e4a867212ef2c0576312b2f2887de53f9288a1a9dc4afa7651d3a38b3925468a5df031a98e0dc109579ca8da53

memory/1940-246-0x00000000086B0000-0x0000000008716000-memory.dmp

memory/5032-248-0x00000000029E0000-0x0000000002DE1000-memory.dmp

memory/1940-249-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/5032-250-0x0000000002DF0000-0x00000000036DB000-memory.dmp

memory/1940-251-0x0000000007CF0000-0x0000000007D00000-memory.dmp

memory/5032-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3680-253-0x0000000000400000-0x0000000000965000-memory.dmp

memory/5032-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-256-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4000-258-0x00000000023E0000-0x00000000023E9000-memory.dmp

memory/3236-260-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4188-261-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4000-257-0x0000000000B40000-0x0000000000C40000-memory.dmp

memory/3680-255-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/3128-262-0x00007FF7E5AF0000-0x00007FF7E6091000-memory.dmp

memory/1060-264-0x00000000032C0000-0x00000000032F6000-memory.dmp

memory/1392-263-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1060-265-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/1060-267-0x0000000003450000-0x0000000003460000-memory.dmp

memory/1060-268-0x0000000003450000-0x0000000003460000-memory.dmp

memory/1060-266-0x0000000005AA0000-0x00000000060C8000-memory.dmp

memory/1060-269-0x0000000005A60000-0x0000000005A82000-memory.dmp

memory/1060-275-0x00000000061C0000-0x0000000006226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5chulm3g.eki.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1060-280-0x0000000006450000-0x00000000067A4000-memory.dmp

memory/1060-281-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/1060-282-0x0000000006E00000-0x0000000006E44000-memory.dmp

memory/1060-283-0x0000000003450000-0x0000000003460000-memory.dmp

memory/1060-284-0x00000000079D0000-0x0000000007A46000-memory.dmp

memory/1060-285-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/1060-286-0x0000000007A70000-0x0000000007A8A000-memory.dmp

memory/3172-287-0x0000000002790000-0x00000000027A6000-memory.dmp

memory/4188-288-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3844-294-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3844-292-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1060-293-0x0000000007E20000-0x0000000007E52000-memory.dmp

memory/1060-296-0x000000006D450000-0x000000006D49C000-memory.dmp

memory/1060-295-0x000000007F340000-0x000000007F350000-memory.dmp

memory/1060-297-0x000000006C410000-0x000000006C764000-memory.dmp

memory/1060-307-0x0000000007E00000-0x0000000007E1E000-memory.dmp

memory/1060-308-0x0000000007E60000-0x0000000007F03000-memory.dmp

memory/1060-309-0x0000000007F70000-0x0000000007F7A000-memory.dmp

memory/1060-310-0x0000000008030000-0x00000000080C6000-memory.dmp

memory/1060-311-0x0000000007F90000-0x0000000007FA1000-memory.dmp

memory/1060-312-0x0000000007FD0000-0x0000000007FDE000-memory.dmp

memory/1060-313-0x0000000007FE0000-0x0000000007FF4000-memory.dmp

memory/1060-314-0x0000000008750000-0x000000000876A000-memory.dmp

memory/1060-315-0x0000000008010000-0x0000000008018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37B3.exe

MD5 ccdf0667e081e66c7ffa163c1b3c6ea4
SHA1 034266eaadb70956190181b741830e9f1985e915
SHA256 3f426f371bcc7c93545af68865ad9c194614b268f82186e08394e7ed5dfea306
SHA512 745dfc9972638c9fb5e676ddefefa2936b3d38f730050d7b88e18bae96825e964457c1846e217e17c7f699b3c6280a3511837fc65f7931fbb85fdcb4d1985ba5

memory/5032-320-0x00000000029E0000-0x0000000002DE1000-memory.dmp

memory/2032-324-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/2032-321-0x0000000000AF0000-0x00000000010A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37B3.exe

MD5 cad15a623733988fef8b45bf4548d8a6
SHA1 f677675310080c2e4ae5bf0745235db3812fbcef
SHA256 72ee16fbd70c293edb31210d3c2e1cd124fa530b8f3ad56e4fd00497d186fffb
SHA512 079c9debc5a61d2edeec80c7af33d28a02c374be3921559a985177d403f89cbb1388bb3cc8c8accb1bc696a8763bd4cb51ae18ca612c510b3525890d08f80728

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 eb9a454839f3a8b4e40b958530078dd2
SHA1 84bd933581fb8edd6049fee5f4a2e53466ad6312
SHA256 045cd0886586f437dabc5ae398a8f00ee5863458c1452822e16c2c3516b6dff4
SHA512 024e2c0e457d613eb03a00a59a0837b135db3f5066971cccc90f6a55b12590325ec28e02131e9d4bf3fbb62f6e1a9566e53ec676d4ed4fce633860ac7594a938

memory/5032-332-0x0000000000400000-0x0000000000D1C000-memory.dmp