Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-dhwd9sbcdn
Target aa96cbc9b53138883480cee00d2e6e41.exe
SHA256 0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79
Tags
redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79

Threat Level: Known bad

The file aa96cbc9b53138883480cee00d2e6e41.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan discovery spyware stealer

SmokeLoader

RedLine

RedLine payload

Smokeloader family

Modifies Windows Firewall

Downloads MZ/PE file

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Runs net.exe

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:01

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:03

Platform

win10v2004-20231201-en

Max time kernel

53s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9AF8.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AF8.exe
PID 3408 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AF8.exe
PID 3408 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AF8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\9AF8.exe

C:\Users\Admin\AppData\Local\Temp\9AF8.exe

C:\Users\Admin\AppData\Local\Temp\FC6D.exe

C:\Users\Admin\AppData\Local\Temp\FC6D.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-A8HOJ.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A8HOJ.tmp\tuc3.tmp" /SL5="$601F6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\102.exe

C:\Users\Admin\AppData\Local\Temp\102.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 332

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4743.exe

C:\Users\Admin\AppData\Local\Temp\4743.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.75:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.75:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 88.221.134.75:80 tcp
GB 87.248.205.0:80 tcp

Files

memory/3760-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3408-1-0x0000000002700000-0x0000000002716000-memory.dmp

memory/3760-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9AF8.exe

MD5 bf134f5c637789f25b450b955ee3a0fd
SHA1 03b1fd198d5dc4ed18e5b25ad9bba5f8d7264f79
SHA256 cb3013b03f1697ea6bb2ae36b1548fed2c13178b92a1b91021cceeefed61a8b9
SHA512 c57955b354586f2c3bfde76e0784653ab0c4a31e9247b2223497093d7c70bd188982749798df5bbea1be5e7fd9f8866a4ebba9a1cd1348e2426ab320ac136c02

C:\Users\Admin\AppData\Local\Temp\9AF8.exe

MD5 5f3787edb012939034e0d2dbf5c284e6
SHA1 4e642f1cf37ed0cf5dc118db7a545e618f367a6d
SHA256 9a846ef48f8e82ad271d6a615bfaa76069690c2ccc18c54cc2fc19053c27f861
SHA512 b94dda1d1898ae6a044b2020ff252b515c33cc0cc8b6f5a849effcf01e37f1f14ffb056d6ccf42c19a9aa1c64109693cc7443aeaa90323c5d4eabb92bd278cbd

C:\Users\Admin\AppData\Local\Temp\FC6D.exe

MD5 b93bd76525e0c1aec4deaed595f88225
SHA1 cd4567d4d6e8039131d8145ba417a4190c1021f1
SHA256 993b3fbccc3fb2dedeb9ebfa49b2d8dada98797d3069cd5477b6998e66d60b8a
SHA512 edcd9b822de8cd3f129675fdc3a4fbcaa55524d76fdcbe7e8791f3619d7d6387ecc9733cae28a3a41821daf0a3b1e79780b1684ad6b7e32f76e5d18bbe318c50

C:\Users\Admin\AppData\Local\Temp\FC6D.exe

MD5 58b9b3c75bac04871b34edb2af80edb8
SHA1 8741e7e8e54259be976b169130b270a7d72fbaa1
SHA256 7e5424e2366ca253d505266ffd4e5191108aeb03e4bf2763cf33d0ea01f240f0
SHA512 6a41a7da985ea1722141945f012e288d07af66e22f4f92f8be0b0633d207f84f8273b902227f5e756af3f8788f336ef7e27d7b334199e8abd8b9babb606386de

memory/4456-16-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4456-17-0x0000000000B50000-0x0000000002006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 dcf915675343df1d9cd4f859616a9658
SHA1 efd32bce1a6909598aaa2b50662e37b8e835b672
SHA256 389d3e1258bf168603ea5bc33dd314646a627f17599c48ea087c2705a5644b70
SHA512 226fe6bf455a8914206467f62f27a75979b78afce43eb00c4155cf9de037e7f091361ac6664b93f9e6cc945320a91fca48110a200d3260dbbce57206012be394

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3c4e1ce002406e4f43bf1c4c859c67e9
SHA1 e980d41ba5f77aff00d12f5aa3a8e2c7da08b95c
SHA256 4e0c9168011c3052f6240f2cc1f6c4261b3b9965b94f4f7e0e0e987ef6567db5
SHA512 eccdd271966b3b33b8b9c5c70816f31d2a5d13c15aa078072331ddc70672ebc269c735f7f84c2dfead52aa77707b8ace190999d3051b4075efdcbd4885c150b0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 48dde736e2189f836a9c749ecaa01da6
SHA1 d1e9f805b98886ca4b472e1a56274c4972d9c10a
SHA256 ccd2e203eb993ced11f5550e1f2c1aa89f8eaf79f46bb16ba74d9a92ed5776c0
SHA512 edfa236ccc29f84a3f34e4c4e90a282e270a84d3f72da626838aeee87ee57ec486191e44b9df03093389336a1ffe073bad63fc3bf210b411943851aec5b71bf1

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 b6e4670fe3bd66bec297f5e6efa9243d
SHA1 70e34acbfdf9b25bccba5557cd056173400d5d6d
SHA256 4ac302dadc9c58814324937d7ed970ed6567480ad61a80a2bcc23b78d61117ea
SHA512 7d62f30e117922dc91121456bedce7a8d562544f909f39d6282b99d3e646a46295f0daad2312a7b88c4ee2a2211a1d16a4306b00c6a719fc7357a3850b6e7a83

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 028760df8ba33a190d7c7925895e21c8
SHA1 e9b04b7e2cb851a893e57d88322ed4fbd5c2609f
SHA256 4600beb04ceae7b614defc34ddcdf6b3b05f49f6d6cd2d2d1737575a58e73a30
SHA512 3068e88878aa8d201b4721fa6608ccdcd341125d99673a0474bddc10eac32e19b670d3893a8f216585956a36fcbcb21478ce97127db43cf449d0d6fc45eafb9b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 16879ee8a51ab934d7b9a36b0d9a6290
SHA1 1d5325273172eb91427cadd4c0336e8009bcc414
SHA256 3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b
SHA512 7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cfc6d7295b3b4d4aa2483a9f9eccfd02
SHA1 6b843c2cb9d2d884f6ccbd37598c8a416fd3b416
SHA256 aa17ed195a87421cd76a985c1fd49a9266c1a188437a3bee1ff1345e592f248e
SHA512 59163400a29d578e3d68423a00b31ee6bb8f01689f3a67198d2081c297f33577545b3277dfb82fc53e14f25964c8dde35acc56c1b45ecfd87d8088773f6917c8

memory/3816-53-0x0000000000B10000-0x0000000000B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\102.exe

MD5 a74ef144ff5b57633f1a979d3e24d78c
SHA1 75742ddab3b1d862f709cc4c9bc106fd317d73b8
SHA256 cceb8184a000c8286c34a3c0ac4ab9d632be9c40ea6e0161e0db39be36fca3fd
SHA512 86047cae06b85762eeb2ceeab04c52e982644ad3aa4c68db8b90f404d8c15ed769e38e40a6272932b622df0fbb73125b0774ff9fd3660fc5524add7cc87f08f8

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 da12522b412a9b5200caa0d687164427
SHA1 e4154205f26f055ba4372c4face920a7db5a1fb0
SHA256 7c7a527af2f492bc8ce4acc656dec5e28ba4ef918c0de0520e40926b5fc8e098
SHA512 3ea9f57da86650906291febee2bbf4cf70754c54dae20485c420a864e87940b19a1413f0de412b0bb3c23404f5b9d25a5d08397ad6fa802a499fbb0229e896cf

memory/244-62-0x0000000074960000-0x0000000075110000-memory.dmp

memory/244-63-0x0000000000E50000-0x0000000000E8C000-memory.dmp

memory/4384-66-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7194a273f3a0cc44032296e26fafe713
SHA1 a2f327354c78ab34cde8962187fd63f0792ebef8
SHA256 e4cd7474be0b12d2f1d46cba74874820e8974fc46d3ec604cac6d049d956fc34
SHA512 6376f79775a34961be668807ac9cbdda1a2283b96a67b63c712d4bd161df84b3185b00f2b4013fa6855d4cb2d0852520fad89b5071ad3ea1309b641d90e46c1d

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 c0cf05c84da41e782646a74d9a7f4df6
SHA1 cf26da0a5d1034871e5483b6635980c0ab0be0ec
SHA256 4fbe6d0bffcd5edc4a70d26d78b01f1a9bf101700349535a2e205dc7c1d90ee1
SHA512 ce1155d0535dd1b4106f93717b9b7967e86bc4a498ee898e63fb87c89d2b56cfaec550cd37e635f2435a643085472d74344c08f73548bb89808c74feff6bc755

memory/244-76-0x0000000007C50000-0x0000000007CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A8HOJ.tmp\tuc3.tmp

MD5 4ec7571bcf9d18fdfc1b388d2640cb54
SHA1 72566a96bf355d336dab27a9bbbe0c15738fa6e0
SHA256 23ae61383a973217e81ddaded7f2ed687b2511e2b4487ba6076cf8a7801bb20c
SHA512 9842c030127c09a2973666d195b41ea08ac222ecb9d536dda44f5c8affaca2135e2bafd05d209c5476daf30e081aba4bd2fd81c3ba63fa990d0ab45bb7147063

memory/244-82-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

memory/3256-100-0x0000000000F00000-0x0000000000F3C000-memory.dmp

memory/244-149-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

memory/244-191-0x0000000007E00000-0x0000000007E12000-memory.dmp

memory/244-195-0x0000000007E60000-0x0000000007E9C000-memory.dmp

memory/244-238-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 d1807de3a484368b3fdefc743c9cdfdb
SHA1 655bdd8639717c7add6ef189ea507b052ba7b117
SHA256 4d7d97cbd0ae42b36a89c4d2926719beb0cbdfbdb633b9eb877db6c6d75b9ca5
SHA512 e2c32b97203d9751b43ee94133ee3c13e0b3723d80890f0e7d662d641a18f65f2214734128eecfa44a9a168185f2cc7e7d018676ff9df56e622e193256e20a5f

memory/4236-240-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4236-244-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3256-246-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

memory/3816-251-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/4992-250-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4992-252-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 b82bc47961d6757e404d2fcc7f95fb2a
SHA1 b95bc554e41bd80038c7e9c4fe035cd91eaff90b
SHA256 2658740fbc5768a470fee4e4dadbc68bb523cf630e5c076b9c06d5749ab0f731
SHA512 e335bc7cde9513efb5cb95840bfa3ce83f0238932f60ee63aa41b0009196326e47e37ab7b819e283125cf7dfd93278fcef4ea3a9cb86a03833b48921eda74cfd

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 9341124db46a39aed3d153f29f5bc1d7
SHA1 6636416d35cce44737dbbebf32c1ee45672a5ae5
SHA256 b4166c59f5e10e9e577550544103db5ff9586016f41d383eadce0df417bd5a8e
SHA512 372e5e221cffc6aab1ef8b3b9c1ab36bcf525e25a2a78119a168a9db368c6ffdae987b21249b91dab5597a75aa99ab4afcc9509f493ab4f3a8ffffd30e139851

memory/3256-241-0x0000000074960000-0x0000000075110000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 e526eeedd2706ccef571b5fa7cd7eb51
SHA1 b0267be685ac85af279d12a4a1e23e8e18c5e3f8
SHA256 75a1d43475f545a7346d50918fe17711c9c54b42a4b27e3f97e12414cbc48086
SHA512 259b30967c11c7b578808b82b8a43384c9e9d7ffbc7719b2e628dae783a6d2fe7af62136048c56814e2a32d3c56d512d696d8ae6ee0d5bb0cf1dbef4b406116f

memory/4236-239-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2668-254-0x0000000002980000-0x0000000002D87000-memory.dmp

memory/2668-255-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/244-256-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2668-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2152-265-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/244-264-0x0000000007BF0000-0x0000000007C00000-memory.dmp

memory/4436-263-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 28723608bad04c4b3d370ceb46b6949a
SHA1 8f3d50b5e1eab8780208ebbdb9b601af77b32c99
SHA256 8623ba5b5103b9dbfe99a13c8f65660c3116084f903fb9d3722f8e9efc039786
SHA512 7a2b4ae3441507adbbbb217d906713c57b0e55642f546bf52965adf90db56647f5a460b501b66649a266de797874541af045e92fe2bb95bb684fad97003da105

memory/1740-262-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/4384-260-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4360-266-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/4360-269-0x0000000005A70000-0x0000000006098000-memory.dmp

memory/4360-271-0x0000000005430000-0x0000000005440000-memory.dmp

memory/4360-278-0x00000000062D0000-0x0000000006336000-memory.dmp

memory/4360-283-0x00000000064B0000-0x0000000006516000-memory.dmp

memory/4360-284-0x00000000066E0000-0x0000000006A34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fj4b2why.skg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4360-285-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4360-272-0x00000000061F0000-0x0000000006212000-memory.dmp

memory/4360-270-0x0000000005430000-0x0000000005440000-memory.dmp

memory/4360-268-0x0000000074960000-0x0000000075110000-memory.dmp

memory/3256-267-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4436-259-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1740-258-0x0000000000850000-0x0000000000859000-memory.dmp

memory/4456-104-0x0000000074960000-0x0000000075110000-memory.dmp

memory/244-103-0x0000000008D30000-0x0000000009348000-memory.dmp

memory/4360-286-0x0000000007B00000-0x0000000007B44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T435E.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-T435E.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2152-99-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 71ab893e6b9085738f6e98514aa945e5
SHA1 fd1b16d13bbef4512a08f09ac2b4e5079245fe69
SHA256 22eafffc683f9e2e983e00b1f1d49443d3e8e628a1e5915367139e0f0f1c27cb
SHA512 1907f500e076c66779944fd81a65f980c464e1fc655b3d0d20601a98966b9903c9d74ab7cd11b7847988499290eeec1288a641ca301eb78ca23c9e402cb21e87

memory/4360-287-0x0000000007CB0000-0x0000000007D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A8HOJ.tmp\tuc3.tmp

MD5 5b84c544d2ae40dbcaa1f60854dff885
SHA1 d7e1334815eafe3beee564984744be23c4e4e289
SHA256 a21b76fd8fb648a3822cacbf89b98cd6e19ff45e515a0998ce6b41fe2679ff3c
SHA512 bd31b24ce225e9c0544c5125974684596baf31adfb0ae44417b840a04e35ac574a7ed56fd6a43b79ede20e24df63872ef05a14f34274ed77944bb22d00a82346

memory/244-78-0x0000000007BF0000-0x0000000007C00000-memory.dmp

memory/4360-288-0x00000000083B0000-0x0000000008A2A000-memory.dmp

memory/4360-289-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/244-72-0x0000000008160000-0x0000000008704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 047ba62ff2aadde753c6cb5cee8b4c6a
SHA1 33a7f188af19906abd608268a34808340ca0e0e0
SHA256 fdf0a87a6d804ab694ded01c468da9003ce9e64a40143ac336e30035b6875ed1
SHA512 3d28607246480d9ad864edb69dce406c76accf510ce74b9115dc2ba6eabf2b63bd6b5938f4e9b15c196a4da3259f0aabeb72cd32531f9b6fd38c994cd0b42d5e

C:\Users\Admin\AppData\Local\Temp\102.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/4360-303-0x0000000007F40000-0x0000000007F5E000-memory.dmp

memory/4360-305-0x0000000007F60000-0x0000000008003000-memory.dmp

memory/4360-306-0x0000000008050000-0x000000000805A000-memory.dmp

memory/4360-304-0x0000000005430000-0x0000000005440000-memory.dmp

memory/4360-307-0x0000000008110000-0x00000000081A6000-memory.dmp

memory/4360-308-0x0000000008070000-0x0000000008081000-memory.dmp

memory/4360-293-0x000000006C8C0000-0x000000006CC14000-memory.dmp

memory/4360-292-0x0000000071970000-0x00000000719BC000-memory.dmp

memory/4360-291-0x0000000007F00000-0x0000000007F32000-memory.dmp

memory/3256-290-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

memory/4360-310-0x00000000080C0000-0x00000000080D4000-memory.dmp

memory/4360-312-0x00000000080F0000-0x00000000080F8000-memory.dmp

memory/4360-311-0x00000000081B0000-0x00000000081CA000-memory.dmp

memory/4360-309-0x00000000080B0000-0x00000000080BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a64c5d2254d168e67e886c6e0d1ae424
SHA1 76ea33f995e48bbefa0cd90abb9374a682961a74
SHA256 9012cbf1cbd1d4be8bdca8add3fac822856aa7cb1975c15a67647fa9ea9b6bb9
SHA512 0139abfa6ef5de4fa66d57661f5222cea491dd4106c03ad5eb90157242dcb67a61aa98176d6c69d7b7ed912a5e20e1c7cdba3b4fd28617b4be7ee53c8eaa5f66

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c3169f444522e151d7d2895d83f79c10
SHA1 c85a06ff883ed8e1c74a64f1366bdcb8da6f6c5c
SHA256 e2fe155181560953dbe3d6a8021bf284c379c2fb329e3add16047b10750162e6
SHA512 890db37bf8458fd6c6258dc4da2e5387536f880ba3035e381ba998148802e8aaae333969fcf815ca706f32acfb0aacfd24abcb650a2412c0d854500e1ddad4f0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2264d77194cb550fd290c9b334abffe4
SHA1 d6f85c34ac3cb7a181f3418c2d6cdcd6c72c3e90
SHA256 518a62a9fedebb7cf95872e1caf4e6178b91ec6f6449b7eb7176c9cbea413e14
SHA512 adbefe28cbb918d4ec971e1c2133d2baf347e41326f78fd11ee204ddb9c4a4a075c28c7b5aac2db312e2a758d3f9be4c57a9eec5d973f49aaa19b7b462c4191d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 a3396c4d946e472a4239a6a526b36552
SHA1 b32bd0047bf88947e676da9965bd1994371fddcf
SHA256 71e62b895d0579f8595112f7731af20cb420f19344c031c48d2be482d6bc3cfa
SHA512 00c1b36b921891acf6a515fc8c6996bac9b748ac101fd1138c6c63cb1c6ed1fa1f843af592bab68989b194adbe9d60575fe4308b72ccacade0486ebfab5b0a33

memory/3816-324-0x0000000000400000-0x0000000000965000-memory.dmp

memory/3408-326-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/4436-341-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/528-367-0x00007FF600F30000-0x00007FF6014D1000-memory.dmp

memory/2152-368-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c73b948225cc21accd6bf5fbdec3cc67
SHA1 f387a9a6915f7fe261d7fca31d58de887523d13b
SHA256 94912718e5ee8ce251741763427d17982cd191ddc815ed3053bd2fdb9bd90da4
SHA512 532523fcb0a65bca0769607878cf67c0aad9c1e512c7e77b88324d532dc42aaed6b9719e774c366b7a29272698c1d9f1df68e49c16c384e264ad9343caf6a2bf

memory/4992-383-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e8c4dcacbc791e6c9dec4985d59df62
SHA1 ed155dd5c5d531992adf94619a8c8e805177748a
SHA256 d7cdec2a33c0212a5f1c33ed1334f69f7ef635c548a09644087676ee334c0ae5
SHA512 f65f445d314f799c90bb01350e03380e7612e275c8369aa0e4cfafe33d7527b83210e719c78b2fd26b217809ada9b431f60aeae7e4e3b9265a0742e85258da79

C:\Windows\rss\csrss.exe

MD5 b8ec55c3c720c2a7f4c41a3e70a83eb1
SHA1 14e22691e391c39d463988adbe7c18af4b1b6771
SHA256 19c0b91da40bc6d17c1ed1342a223c7b32987004710ee1e553b82eca432e4109
SHA512 f27e3cf79ba29b58fcca14228857847994d911f9e09e93414098ae936d3cfc8d2fcca74a1891b27398aee2c772d4f3d07f823e0b5f0ee472d913b6772a80560b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8fcc9b6570a7dd1f1575825e9b72a90
SHA1 75c2eb4971b4db186e72d2d0128b79d1b7bd6e7d
SHA256 e5aa63f5449990c37826c2ffc8589813fab33e17d57e745e2ae7a7bbb9c47cec
SHA512 528354b3e974a161f8962f4445f6de40f9a5e6c01e383731d3c47f12d7c45756822ff545ffe36b5c029a1bce464e0bc4e9c04586b9b4325ea00b4fff028e4ea2

memory/3376-452-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4743.exe

MD5 78c69bad5fd9ea670c85d4f2c252bbb9
SHA1 22bc081501193d3ece71652525f129697320c83c
SHA256 fcc64882bafd99f8faf193b9efc70d0341da6000d6a6c6a3a370453ced24c9da
SHA512 4d80896a7724aed3029957ccf0270af3f8f6cd79716784d5d3237e380daa19bb69a1ecc3ee9062685d8b787628e9fea66a13f135bc7330f435b36dc1c913d9d5

C:\Users\Admin\AppData\Local\Temp\4743.exe

MD5 2a690b0831ef29ad83b2b362c07f1979
SHA1 532f7841c3e96f5fcec5356f405600820daea5ac
SHA256 5c3985ae00951843a69aa7ef79853f65331a08556cc15c130d40a9823abe76c1
SHA512 f27193dfdef71f6e9f158ae55b08bb149f00ce578c0769f5a77d1554fcdf2d9726686499c8b64b05190f3b28a4073ff1e2d084514e2f4046a2327669eeafa228

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e997578598eb16e3796598f11e307592
SHA1 5234fb29976a659f71a6e88b02f436c1fbc2f2d6
SHA256 80249011c209e81970033f85dd28f4f8e7d0dd3b78231fa7df210ea5c84493bf
SHA512 054b1f509899cba113fa95638741516744539dff4f144287f8a9c76908723b4e4db8f381798b53b2565fd111df58a2f3d4d24ede3e84ea8f455979fd9a819a67

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9cc8883cda3dac8816b19ad0733baeb
SHA1 5c4e63739b6bf6ab027e36b1edbbdb41a733158a
SHA256 a9952c2edfdc29c5fc59c229b376aab8c0506ecee66f5cd4ca0dcc420c143e65
SHA512 9d3425a4a48c35704ffe3aacde0e37a120900b706bbc9ae2badb15cec2a34c7bcc9f86c06bcff91c158ad8ad4f83dfbbbe5cf0e5606ba1cd4bd46d62c49b9be1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 3e1eee60b15b54ef978eb98c7a10bb20
SHA1 746c687293cfa99d6e78e9e46aca83ded128eeea
SHA256 186f7d8c35482d06de12087df3faf731358401a541d5cc67af8fb03dc3fe31b1
SHA512 3eaf282c0f3835a0fc21bad34c0f05b5dcd2d3eb4313d4cd0ad7baa3cf07309e5c968bc4ff487f60ff92b43446b18b12344ac05c4d6bdf2e5912533ff107ebe4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 6b149b660b20293abd0f696a414d5803
SHA1 dbc65d9bbebd3c0841bda6b54c832b961c390e2b
SHA256 d06e206de1f9961df79445b5f693ee3730a12a65eda7ec74e34d410a93728f6c
SHA512 f6ea1844a9ddfcf9a6e2576361dd05c1100b6fd864a4f756d8ad642c3095f2f407aab4b7eed27901c589e32d6409ae63365473bb5e0b9feada35529e6722cc91

memory/4992-555-0x0000000000400000-0x0000000000785000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:03

Platform

win7-20231130-en

Max time kernel

101s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\982B.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe
PID 1348 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe
PID 1348 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe
PID 1348 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\61FE.exe
PID 1348 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\982B.exe
PID 1348 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\982B.exe
PID 1348 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\982B.exe
PID 1348 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\982B.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\61FE.exe

C:\Users\Admin\AppData\Local\Temp\61FE.exe

C:\Users\Admin\AppData\Local\Temp\982B.exe

C:\Users\Admin\AppData\Local\Temp\982B.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\9BE4.exe

C:\Users\Admin\AppData\Local\Temp\9BE4.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-06PJC.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-06PJC.tmp\tuc3.tmp" /SL5="$7011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211030249.log C:\Windows\Logs\CBS\CbsPersist_20231211030249.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCDA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\312.bat" "

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2068-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2068-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1348-1-0x00000000029D0000-0x00000000029E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61FE.exe

MD5 95bc79e4ce20873519efb0c004c42757
SHA1 060e823350ef417179360072eafd919030c474f5
SHA256 de072740f6d2b191dab41f36d2734f274e20bfc46e50080361338ebf79c1511d
SHA512 955d5b3873441280cc003a02d14eead9aa26387ae745389ae9edcc1555a4d433bc242c063a3b97047d2ac8fa2524896b231d36a415380f11de5849edc62e3370

memory/2576-12-0x0000000000430000-0x000000000046C000-memory.dmp

memory/2576-17-0x00000000747F0000-0x0000000074EDE000-memory.dmp

memory/2576-18-0x0000000007540000-0x0000000007580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61FE.exe

MD5 ed9fb82cb4493c847785b8bd44f0f279
SHA1 4ad7edb4bddbc6b8fa309af90a14083b855f6582
SHA256 4ec8b4a498cf7680df63cb5206bf6bdc8998d8a6969b0fa10780be80ca51b824
SHA512 bd1813668daf8302dafaa2ee534cc6ab9aad59b0a254f910379816b884157cae5b334b029a5f3b64d34e3a1da80bdc9c7e16485da3394750e2eee70c43d62f2d

memory/2576-22-0x00000000747F0000-0x0000000074EDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\982B.exe

MD5 234453dbc818c06dc635fffe9dc911a2
SHA1 e3a187058fd4ec39c0fe0ecea691baa7df90ff87
SHA256 881e5af659ab01f9b3423e32dc3d468509eec2e205710ade8438fbb5faef2ff3
SHA512 9e1927ec7da398ffe53b56371f39a3d30e521b4110f44012186b313ab22481bf903508a7e3228dc7e74db51e463cee62e37253d3af468b7b9b322dc8065cfee9

C:\Users\Admin\AppData\Local\Temp\982B.exe

MD5 cfe3993a62b361475b0ab864d13b46b6
SHA1 01ad280f73ae1b2a8a801390856e910f41fbfa35
SHA256 1ae81b5d7b25f532fd0e9afebb2b003b83284d8c37175d34e60f216d4595b195
SHA512 769fe64a7a1cb39c4ac749576a2e0442edc7e94ed3b14d169480bb6ab90d45ad04ec6aaee653cf26db864c9a579a2a330417277a14d6e6aeae314724e47fad28

memory/2752-29-0x0000000001270000-0x0000000002726000-memory.dmp

memory/2752-28-0x00000000747C0000-0x0000000074EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5b82df8e2a51a6051c37471eb238d1fb
SHA1 8ce9b828c7d2c92dacb09866be84621762c7a127
SHA256 4e1faab31f56075f45ab586b1658acd855b80f8e75e29d303afe4e371c129bdf
SHA512 eac3732e68ae4a9b0cfb39fede6e6403a2b23d16ab401eaaa589003513c3f1b40c33814964f42cce59534b804c250cba2af88d38d14a5b5d30d6ed7aa2ab774e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 904094f84cdf8a2ef499dc7de363932a
SHA1 53d7c561e7ef8a2aa14e45f4f9d67961edb6439e
SHA256 3e7e46e66cf544a814a565278dcf5cdb36959825f3748ba316f0f9be1c8fe513
SHA512 9825d62e249499939e1463fbd68e95f5552039ac2a0634eefa7445effd025c485b339c7d361542e48388d0f555d45b810fdf376c6d53e0f7ce7a06effa8a7941

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f04ab1eb4222af35e74c3d36580a83c6
SHA1 67fbb6996d1fc23ee6f39f7b0bc6464ff9ae7f25
SHA256 29b191f2750344ff8644014e231a61feb4527e3496b50e6a8a3ca3633e6b940e
SHA512 96a822e2bc67653036bf91c9cee6265ac06b5ef70f119b674d2daeb51ab227ccf2d7920eec8c26091ac7f7a3a75dc50028de48f16bdfeae1d5373417d1d81580

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 921696ec50ee61aafea630c604168485
SHA1 2e55cf5e0f8b58851d8d681e23e5c0bdf6cda9ea
SHA256 c4eb123b0dd4179c679f133d2191d2f0f7ad81443c5317c89220c28b987f1eb5
SHA512 78c5710bd888b32e72d892f2ad4f37245dca7813c5b3b9a6d9201fee5b931776b5ac2f5a6d2350e3bf6745bec2c76d7a673f91c9defab075c766a7abbe07559b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4cf5e24e8581087df2c8eae4dc5ee2dc
SHA1 66343278de901912a342fb363e8407a156743a15
SHA256 816715071e90d4b2eec10e8d4e8e8a67bd99e077c259d397f9d14bd73375ea1c
SHA512 111b1e724a655c59f228c9fcfe9cf46fbf03e47c7935235a18c00f6961bf9a01d01d839e90d73c45c19f7b40d56bddbe8bca55bb1676d5874610f564600b83eb

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 00d3521e5e8bf76a4d4efbcd89897a88
SHA1 7534d13d7c387be0aa5430121c46d0f54f6329dc
SHA256 2ded14611a6dfd36079f4a98de8f4456a1e2cf3331e76ddfaeee6b98950b0bed
SHA512 0bb7c67de565e9612a0dd897580849c602ccd4a1774415d67b0442bd7a4e4f3aa5718c6da655e0ac450d000b52512aa04d6b55ad46a475461849c844ccb34832

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b1f5896e60f94e9e14bed0ec110fb2a5
SHA1 879d68827d6fc17a4c1813a70c3f5902c5959103
SHA256 b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c
SHA512 dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 e35159e1437cd083d5769a510d9da9b4
SHA1 7b2dd6b41d3143e5043af68d2f25dac7facca123
SHA256 44e88e1f330a89d22ddd1deba22bf1e26c759d18cf5aebe8011293db425babca
SHA512 523a2e08b5d4bf18cf7e43bca9f7b8ad08b78b1bc81c577eb6645bf3da538b30be4693bfba71ff9e09fa9dc7c7b4512e6f07beed99d827647ec85d0f53fc4a71

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 027df5bde76cebad19ad812bf1d8f8bf
SHA1 b514e79ba52c566642591af8182807dd0f98f5a2
SHA256 e1ef2907557c71c8b8b06d48d81a8b7e5a978c9c4893eb302008a1707343c4cd
SHA512 36e2660905a18d74e691e5bd8b9e8e97977ed2e5be8085ffe8c11e1a90679639aaef39212522c221c8ecb9c32bdb02402e040ad7be9494296ddd7b479acac766

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d1be7599d47f33f31f50412ae251ae8e
SHA1 c6e9860f1a20d7dc03b96ae315d852107d9076cb
SHA256 87671d46a9595792f885c735e9601628bd8ef157c1acb9be76bc52c84ff6808a
SHA512 3cee4617a3ae946df0fe14125e89d3aa7785dc3f9cdc100ebcd42307324177d54caaefb80afee761676d38c2cab5fd367b40c6cc7185777e9b27c7041d457fed

memory/288-76-0x00000000747C0000-0x0000000074EAE000-memory.dmp

memory/288-81-0x00000000005A0000-0x00000000005E0000-memory.dmp

memory/1184-79-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1536-105-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2248-116-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/2248-117-0x00000000029F0000-0x00000000032DB000-memory.dmp

memory/2752-119-0x00000000747C0000-0x0000000074EAE000-memory.dmp

memory/3012-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3012-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3012-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2992-123-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2992-120-0x0000000000C40000-0x0000000000D40000-memory.dmp

memory/2248-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IPQG4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2248-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-132-0x00000000029F0000-0x00000000032DB000-memory.dmp

memory/2248-133-0x00000000025F0000-0x00000000029E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-06PJC.tmp\tuc3.tmp

MD5 fc7a091c0a38509e9527fb3cc7857ead
SHA1 1dbb316d37bd0c99494d2a569d011f767183dcca
SHA256 d175062ce0e3af41759b87150fff244504a68fa90990398d533eadb98a38dfb0
SHA512 0ae82cedc0da481f3a25e504b806053d79aff53040325182a4cbbd17a2f1916050c30d9f6d35cbdba5483596406143b6bdc2c5865db478f036cc26f7c67d31b0

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 57dd50700a75c8b04804aad7a567284b
SHA1 555ff20c8358483329cc899176910b225e478e85
SHA256 8ad1349184baaa9071917fb80dad33ec0026ab2b209242fbef73536800a380aa
SHA512 7893024121bbba1bab2e55dc5556c9436b08e08af6b9438f3e175157ef23f7a0bdd3c3abca854e5e696e11f1f23c22d1b2e07d66f88ee9088047960a34fca33a

memory/2248-74-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/288-73-0x00000000008A0000-0x00000000008DC000-memory.dmp

memory/780-72-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 6161effcbfee61853e76e618b3ec4300
SHA1 7a3bad92b64cc0a57f34b0dc42dbf6fd8b9b7339
SHA256 5e63e60fc3b091b2d89d4169efd37b95c93daceb6eb83bf2f95f138176b07d9a
SHA512 1ca43db17a735e9afeb9c5309f385a1ecc72e30e55331cb9651540dedc4be734cfd2197bddc8b945192fa4c3a30cb6243e6c22eeb2282392190e0cffed6f8394

C:\Users\Admin\AppData\Local\Temp\9BE4.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e3bc70f7cd3b5525e333a0429d133795
SHA1 c779c2a035302213b2e675cd2d05f74d21c70d10
SHA256 367a027179df37ac3a42c7b9f8c950fdd8f6954c90867e0928a4ff6de96f80d8
SHA512 fe771c4048b6cea98f6bcb220f4727f081a2a28694639d7f873596222199cc1adf53ed5a68dcd7aed8b226deb5034ef0588a3ac0ca20fad05344ad044726c399

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 07e2c0a87e221b732b5416cedf661bcf
SHA1 eb979571bdb2a504e533749a734a8f4e4d59b033
SHA256 6023efda02152cf26b9782c1fd91551918e13ad07a4361458fb13c32b1a886b8
SHA512 ab0640fa0d353251742a9fb31ab4d25581fc89e45a9a1239487dbeefc5428800fbfbfdba5ec7ba489ad279d3539aaa0d487c3676c0eafb322b1a5197a4640d26

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 bf438640e223eb5ab11e5c9340e522b5
SHA1 3c7cefcbc55fc345022a733dffceb32d617249e0
SHA256 7db10b42df92680c9e7f22b67d03924e3f7e842489fa46c1b409ed97b5045848
SHA512 8a59496bfcb1db95720897ef68b131e63f7ae077e156d88e1b55f390571d7c259350d9fbe5e8c341381225c362f62f2340ff4b6f06bc97cbd09cffe912bd48ec

memory/1696-134-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/780-135-0x0000000000400000-0x0000000000414000-memory.dmp

memory/288-136-0x00000000747C0000-0x0000000074EAE000-memory.dmp

memory/1184-138-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1696-137-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/288-140-0x00000000005A0000-0x00000000005E0000-memory.dmp

memory/1696-139-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 b5fef93bc2a087b1af2d901efc587e1f
SHA1 a5b1d07e9d7d8124f2e323f6531c49c5c960cf77
SHA256 a6b59486f750c6d9d04f05cccbdf43eacdd5ccc3a747777ec3e446e6c5b370ee
SHA512 82f356bae3ecf2a30c09c6669cc664cf13db344769e10a8834de73985c4b8eb5a8df89a9c56a4a5ede9a19a9637bf56f5438a5507d3fb8cef0542bef817d17b4

\Windows\rss\csrss.exe

MD5 d0388a4e38bd52365dfd63073b5aae3b
SHA1 a4a0bd5ef3c2950117cfb04b8304ccbf45307d68
SHA256 5eac75685dafe05147f2cbd2be972690bdb0ca4dcad584f3002f52794276c469
SHA512 95f7140c8815f19c597dce3aa90ce104b49ec5ea41c17cd175716986a1b27ab770c73e143390164ad533f961b0a993cfcebabfe0ad84e540d019138932e90aaa

C:\Windows\rss\csrss.exe

MD5 f4b6569686a45ed69f7b65e54da50a64
SHA1 47980e46d251184f0b73e72b0f964a9574c13134
SHA256 57bdca1c4c8350f9829c86dbfc3c72829c41a2a362122530cacfae818da2e597
SHA512 d6713c13f5b0b64eae6f40b6841f16a82ab8c45d4af451d87f13730b7a4bd28a90fcdf8bb0993988e2075abb1292747a7af47996a8ebd452bab8eba92c5566e0

memory/1696-149-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1696-150-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/2640-151-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/1348-152-0x0000000002E00000-0x0000000002E16000-memory.dmp

memory/3012-153-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1536-157-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2640-158-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2640-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 49a00e83c226fc07c8a9cc520cbb38d5
SHA1 2d410ac50489d2c06ae9fe1b2b40be8bb9607d25
SHA256 b20b71bed2ce610b097acf8db83de11ce4a79001a2d4eb0ee54f09f189342a24
SHA512 b24cdcb284db81cdd2674cf00f14fa1892cf0b86cfe0a83f2b03ddf20f0b8762ead3bc18933d8503f6b2a397d6361b417d81ea4f91a52bf6ecb3d6da9396b903

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 578e4ada1b35259562dcc5fd1be0a224
SHA1 4e9745c8ce3e79b7ee31342f56e50a0a060176f5
SHA256 d4177e5a4a1400359d711bd856c30f356b6af0834e912cb70c3b5b6cf976d47b
SHA512 c79b77d918e0344c1871d672a70182f2f8454a1733c945252745758509eeef232adb78ab69f3cb47dd92ee680a02ef2c640dc20a34e8f7177cbf0312de174343

memory/2400-172-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2400-180-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 27146155868156e2691456c281b4a141
SHA1 ed0120283a8a28aa842daed57c4ad0458a50ea77
SHA256 7400ba0d98d5d004dc4cb977167a9cc15c6cb5deedabbcaf1adb49e7eedb7453
SHA512 2fffb3580fcb9a55053000102f113d208a8100de05aab408256390c654bd0309e11a7b8aed25ac6652f95d5c2559cf054c69536de9f59d5ee10cb693c9fd7de0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ae312bb170cf9a74989897eb1bba31a5
SHA1 72fa35ed286c51a8769d21bad6054b4d9c82f706
SHA256 faa1ded7dca4151f4d0a570debf8772ae5f7f9394ed24e9ad92062a9affa45f1
SHA512 22686d7e8cfa53349c0d1cee5125700f5579716f4d8597c8a266ddad26884cffe4692a1203f791819482585c19605bd98f7e02b24f9295dd73c1bdcf97ddb6d6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 553644e6ecc7155839450eeffbc65a62
SHA1 2f84ec417d624377eac443d8acf36fbe80d470cf
SHA256 0549c738ef69a9d507c991530c613de815e171678033daaf7ce793b968581af5
SHA512 deb5ad637093a5d2b9f00b291adcd43ad9b3d58f0096cf9a89a1547fb30da9e35a6a1765cd4d44cc2bc99b61696ecc8b6e31147eb574e38abef8fcbc27277054

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 0eb38b3c6218c2234bda0d1ca99af85e
SHA1 2692bccbef8f962129c59494bb3388993275288c
SHA256 c4a0c65813229fbad222a7529cd2491556b1174293da1bea550613554a783fa7
SHA512 a293505f013b2546736327f35b047fad806b7edc171e0d6770b1439546c38dc4ac9f0b70eefb24eed6778e7aaee452c324f724165e4721f3f08b4abfc206c5ee

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 745967ffb7fdb8f83ecfdcef26ae3a79
SHA1 b82e061d03678f416b43b9308f2e976baa5edcb6
SHA256 e2905fd6b1f1ba9c6878bfa5e66410deaca83e71caddb47e575f73cde159ff7d
SHA512 227324e7622b792aa2f01daef2a5a2e88c661ba7c1af7e676b9a467ce00ca13428316b39c7f6e51640847f7bba03f6d5b2db29914d29989f5b5bd5ef789cba57

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 c32aad014b7eaa9802a8b2638a45fe37
SHA1 0e7db4914a324362302f393e85cd568b66388975
SHA256 91d77415be6fc6a3501e49bd4d97d79c94f9a5a99b66d87ffe15da2ca8576b6c
SHA512 3ca851861c616b84ae3ce5477b020ec61ea6e92fb5651b9c8c32f966fc07a308b3db63cb2bf4dc84277acf4151395f4e11556f1b6f78830946b27d5be3487133

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d82a33be61a7c3c06ce07730f1142e06
SHA1 bf821650c58f844a476d4583484d50ba1c2d2a4c
SHA256 f68927d92c125bf34393c47d467bb3c8e1770503daaad3afe45c63e4b91d37d7
SHA512 52ae3a8708d77cde6672e685f98484d637cb0de3aaff3503e796488a54ac9cd3cbedab99c4f91482a554f91aa1f346568a639ef3256219995663e33e78355fae

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 bf9189d2cdf9b70f91a1106578f092c4
SHA1 54ebc5455e800110206325f2a1b33d55ccd25bab
SHA256 fffb7d6a60f83c80f109b4ff114a44bf1d56dcc681c520dec263934bd928be53
SHA512 472a8972489623ffa39825b4aaed1099fd19c8028f567b98d87b2a68edb9f17bf1bf0c99dc4094ab5f823b878c7534502f472baba4ccede4afef4f3cd5ea1720

memory/1184-198-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2812-202-0x000000013F880000-0x000000013FE21000-memory.dmp

memory/1536-203-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/288-214-0x00000000747C0000-0x0000000074EAE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ffcf674b33a8ac5ca117ac52da7a66fb
SHA1 aca954d9213aa5091c7b52975c236d1ee1c88a89
SHA256 ae799ae335fe59fb4ea7a952edf2bb209cdc024da80076fb541411eb76b5ad2a
SHA512 bbd51e999d93d7562753ab7451b2904eb530a0486fa151fb1d8ab2a4291fc22bfcebf1f95f3a47caed3db9a24682626a166786535693f79d6cd0a0cd760354b7

C:\Users\Admin\AppData\Local\Temp\TarD7FD.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2640-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2640-247-0x0000000002680000-0x0000000002A78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

MD5 29cf63ecb88abbeebc77ed2c5770631f
SHA1 7f3905cfcb70b59ff1a3f01e9c0351f5083bddd4
SHA256 b0dc6eeedc866b23afdbfdccaac71b1ecc0cbb14801a83d467b67dd18e612f67
SHA512 cf93e70323a2336b520dc7f93fb8cc83dcf25e93bd256205941e94e1fe43e16bfdf01d9edd0d94d3116ef94d47ab04d6ebfeedb34eac618ee734dfba6e288af0

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

MD5 6a5a8ac25e7e626bee4bc3382cdbcf91
SHA1 ff4f8c6116a2bc7821b0a24ed10dd502b54b4980
SHA256 5742833a4d8df83316af1b8a18aa6f6b62a30430ad416edca8b6513f99a7a713
SHA512 15bf2604bba627e71e160e5251973b71dc4bbef90f948df85fc6d96110443fb95f700983c040235ed82ae9af47907b25a3c39a4b46016f89cbaf76f1c6d9a406

memory/1816-256-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/1816-257-0x0000000002530000-0x0000000002570000-memory.dmp

memory/1816-254-0x0000000000820000-0x0000000000DD2000-memory.dmp

memory/2640-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCDA.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2640-280-0x0000000000400000-0x0000000000D1C000-memory.dmp