Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-edjqcacbhj
Target fa42753a5fe2e60076476da32fcfaf01.bin
SHA256 22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
Tags
redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a

Threat Level: Known bad

The file fa42753a5fe2e60076476da32fcfaf01.bin was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan discovery spyware stealer

RedLine

SmokeLoader

Smokeloader family

RedLine payload

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Unsigned PE

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:49

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:49

Reported

2023-12-11 03:51

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9877.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sfsbfug N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfsbfug N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfsbfug N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sfsbfug N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sfsbfug N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\9877.exe
PID 3384 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\9877.exe
PID 3384 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\9877.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe

"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"

C:\Users\Admin\AppData\Local\Temp\9877.exe

C:\Users\Admin\AppData\Local\Temp\9877.exe

C:\Users\Admin\AppData\Roaming\sfsbfug

C:\Users\Admin\AppData\Roaming\sfsbfug

C:\Users\Admin\AppData\Local\Temp\1583.exe

C:\Users\Admin\AppData\Local\Temp\1583.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\192D.exe

C:\Users\Admin\AppData\Local\Temp\192D.exe

C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp" /SL5="$C0062,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 328

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\6BD3.exe

C:\Users\Admin\AppData\Local\Temp\6BD3.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2768-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2768-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3384-1-0x0000000002B50000-0x0000000002B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9877.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Roaming\sfsbfug

MD5 fa42753a5fe2e60076476da32fcfaf01
SHA1 8147938ec14fc596c55d1819f8e2cb3d92991ac5
SHA256 22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
SHA512 e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1

memory/3384-14-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/3632-17-0x0000000000400000-0x000000000040B000-memory.dmp

memory/656-19-0x00000000013B0000-0x00000000013EC000-memory.dmp

memory/656-24-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/656-25-0x00000000086C0000-0x0000000008C64000-memory.dmp

memory/656-26-0x00000000081B0000-0x0000000008242000-memory.dmp

memory/656-27-0x0000000008190000-0x00000000081A0000-memory.dmp

memory/656-28-0x0000000008170000-0x000000000817A000-memory.dmp

memory/656-30-0x0000000009690000-0x0000000009CA8000-memory.dmp

memory/656-32-0x0000000009660000-0x0000000009672000-memory.dmp

memory/656-31-0x000000000B020000-0x000000000B12A000-memory.dmp

memory/656-33-0x000000000AF50000-0x000000000AF8C000-memory.dmp

memory/656-34-0x000000000AF90000-0x000000000AFDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1583.exe

MD5 1ea753c26a9a9b36a1ea3eb6eef74792
SHA1 5abc373a4ac4f2f374e9bee21ee1e2d104b2a4a3
SHA256 28352504c842004725e1f53fc4e65e16065642452de646917dc606ddcfd9f970
SHA512 a9a62165d42ed8d380cdfe887f29d1028c2e96f7dc5f8cab38e2398f842eaf7c7f8191a454efae0280782dfddef2d9c7a8b142cce5008c346930d181ddbd5c42

C:\Users\Admin\AppData\Local\Temp\1583.exe

MD5 6d85259c78b1d653d7e077ef515fde6e
SHA1 fb27c5cf8c58199f67ee2b3caecfd3ee5bde86d0
SHA256 847f4898f2adef5839ff24d7d9ea9da008dcadd4d620daf3c9321ff1b7cfdafc
SHA512 039d83cc5517be741eb120cef3bd77936742c25a23b44e7f9514678d99dd664c04842c2b62718b544053836d26bc6dfa7e4ac17eaaf3ae491753ffc986a50cdd

memory/3328-40-0x0000000000310000-0x00000000017C6000-memory.dmp

memory/3328-39-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/1436-78-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2848-84-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4952-99-0x0000000000180000-0x00000000001BC000-memory.dmp

memory/3328-98-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/4952-97-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/4952-130-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/2072-203-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/656-254-0x0000000008190000-0x00000000081A0000-memory.dmp

memory/1528-257-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1528-256-0x0000000000400000-0x0000000000785000-memory.dmp

memory/656-252-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/2068-251-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2068-247-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2068-248-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3368-260-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3368-259-0x0000000002A30000-0x0000000002E2A000-memory.dmp

memory/3368-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4380-264-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1436-263-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2848-266-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2512-268-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/2512-270-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/2512-273-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/2512-284-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/2512-274-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/2512-285-0x00000000067C0000-0x00000000067DE000-memory.dmp

memory/4952-272-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/2512-271-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/656-269-0x0000000009130000-0x0000000009196000-memory.dmp

memory/2512-267-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/2512-265-0x00000000031D0000-0x0000000003206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e531d4b3fe89b853c46bc13fe348d06f
SHA1 75fa013b9dc494df46a0b1227bcf7a59456a211b
SHA256 9c59b6ccdce18585f923ef2aeb39b3fc1d5bf47de74134629bf542248ec8cb68
SHA512 5a3e06a7e1ebdb627e88c79dc1854423e55e4b2f0ff0a715d149d5e416f5a3ab59874cb7aa43ca1589909e004197f01120536bbb8c430c208ccf7917b45edbad

C:\Users\Admin\AppData\Local\Temp\192D.exe

MD5 52a959ca162a679855ffd3f5c08ec9a0
SHA1 d28813ea9b81c639ace82f812370fc1541ec9ede
SHA256 bd91ce0d9b7621bbb0abaffb2085a6b53a0ff0c21a002f90cf11519f0a39fb3e
SHA512 4d33183acf674816bcb4760d5837bad1922d5bedc8f20c5ceff4d6c754b04c15d942fb448047eb96dbe6a1d0e3cb83c062848aebdf859bc3a06b820962eeaf33

C:\Users\Admin\AppData\Local\Temp\192D.exe

MD5 74461137d38386f0473fbcb475d0fc37
SHA1 9f849998554b4584a172dfc4e99d84454cd32323
SHA256 59ba7fbb6e1f42ac28150728de37110b881ffd5cdabc359768566c4b1806f722
SHA512 d1e97e73886dc2bf11a076490f6665cca6b4716c767a61bf3e80af7b4bb1e75884df7b8aebb5557d23cd014c5d35b974f9609d71d855eb899be4945f25d9bae7

memory/2512-286-0x0000000006D30000-0x0000000006D74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a3d098610415db87bc6cee13cda24803
SHA1 bfed2811ab2e0a6348eaccd168fc7ffc3a9c3d92
SHA256 f722cb4a916da1dae426e44f98a359eee43014d379b9c23118120c144cc52301
SHA512 2d7be3981e1c4dd634ebd377f6b7cb866d00be726e87cd66348e3bdd55916b848a3b7fbca2bbb581b4f70103f669dbe1479a4beaeb11ffeb4646d1057b518361

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 02ab342dc31ba5c94685b020407a9bdd
SHA1 eee928e482e81814c6c4d72df2e3cc61d4e1477a
SHA256 4514276540e9290b92cbf2c08ee6b0d522769ddc22812ce2baad167dd8a71e8d
SHA512 ceb607b6b034e2529239372709862b612483205fa2bb69d398e1800ad8a8fafd44640260deb87ef2f0c511a1cdbcd7a1aa9acb9aca18f578907caaede55a7375

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 713258283d098fdc6a26408edc9dca13
SHA1 5784f69076c2057f21b963a9e13fbd186fb1f308
SHA256 7a268aff850715b2f1aef618c46512c531885248c1a05aea326ddd13bb39eea0
SHA512 3af46480eb917f37bcb85c5fb046debe24d86f5804227388e81af9d351604d33b4bfce2fe034f8f0a60e2ac1088134236f4053681a844b4fe5b033657065929f

memory/2512-287-0x0000000007AD0000-0x0000000007B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d8d8daa14e7259290e728e98ff6bfbbb
SHA1 79627f6e255582d8eee34ada3c4377054bfa3ea1
SHA256 21ceca5b4af638a7f8d6c1a0b7ce9b5ca459b28aef1b7d5f9d80381d09ad7a43
SHA512 bd326ddd695efa2420ee9940b9bce99400579b1b17a603358ca7e33f18275724d71023aeb99e786719260c2b50cfac4674aa996bd583e92c4545188af20737f5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e33cadf4b3ae6a9d47c1f8357631426d
SHA1 6f7f9ee4e9d44d2e2829781034e9b3365ef21819
SHA256 be0de1f5f6d9c900cee889ff035623793aa11eb56717fc395f7daa0a6a2fdc0c
SHA512 a8f384ba81c1f6e4ceada53ec23fb39bb28f9d259f73dcbbcfbf15cb20eb526a740378c7e2d90a9cdd915c2124f88d51af212706e7060b10bdc8a72bac2666c9

memory/2512-289-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/2512-288-0x00000000081D0000-0x000000000884A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 7776759ea28041a3b23799da25b042d7
SHA1 145ad923430023052617a70a957d96dcba1eb692
SHA256 db3491d1d1017660e5626ef5173a1d117d852a934341073ae67040e17fe779e0
SHA512 4d4100e896f9c1b4156ff0f0028765d10dfe2a505d7cbcb273189751231a77921ff5a34448fd7a15809d147185624478565eb926be089264af89e6d7ce3f6308

memory/4952-290-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/2512-303-0x0000000007D70000-0x0000000007D8E000-memory.dmp

memory/2512-305-0x0000000007D90000-0x0000000007E33000-memory.dmp

memory/2512-306-0x0000000007E80000-0x0000000007E8A000-memory.dmp

memory/2512-304-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/2512-307-0x0000000007F90000-0x0000000008026000-memory.dmp

memory/2512-308-0x0000000007E90000-0x0000000007EA1000-memory.dmp

memory/2512-293-0x000000006C5C0000-0x000000006C914000-memory.dmp

memory/2512-292-0x000000006DCF0000-0x000000006DD3C000-memory.dmp

memory/2512-291-0x0000000007D30000-0x0000000007D62000-memory.dmp

memory/2512-310-0x0000000007EF0000-0x0000000007F04000-memory.dmp

memory/2512-312-0x0000000007F20000-0x0000000007F28000-memory.dmp

memory/2512-311-0x0000000007F30000-0x0000000007F4A000-memory.dmp

memory/2512-309-0x0000000007ED0000-0x0000000007EDE000-memory.dmp

memory/2512-315-0x0000000074750000-0x0000000074F00000-memory.dmp

memory/1528-318-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4992-319-0x0000000002BA0000-0x0000000002FA5000-memory.dmp

memory/3384-323-0x0000000002B70000-0x0000000002B86000-memory.dmp

memory/4380-339-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1436-361-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2072-364-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3460-363-0x00007FF76CDD0000-0x00007FF76D371000-memory.dmp

memory/1528-392-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4992-464-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1528-546-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4776-547-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 879f6daa64e7c5cd0c5407b3335f1a08
SHA1 1b90e48b2db46ca06ecaa783b49afa596c69aaef
SHA256 0260e173818cf121d0b744131756d7799228508cd38af9a033f4bdf27f927728
SHA512 51ca18517e520c98c4064f42d8ed2aba05318392ce11f89705dec7eab6c624790f561a9a3b09af4398ac2377787a4ac552eda66df116bb9ee1432d3c924cfdfa

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:49

Reported

2023-12-11 03:51

Platform

win7-20231130-en

Max time kernel

127s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fgbutbe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6A1A.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fgbutbe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fgbutbe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fgbutbe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fgbutbe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe
PID 1364 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe
PID 1364 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe
PID 1364 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\52D1.exe
PID 2760 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fgbutbe
PID 2760 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fgbutbe
PID 2760 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fgbutbe
PID 2760 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fgbutbe
PID 1364 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A1A.exe
PID 1364 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A1A.exe
PID 1364 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A1A.exe
PID 1364 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A1A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe

"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"

C:\Users\Admin\AppData\Local\Temp\52D1.exe

C:\Users\Admin\AppData\Local\Temp\52D1.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {912C0FEC-7D5C-497F-AF98-EF07F264DDF5} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\fgbutbe

C:\Users\Admin\AppData\Roaming\fgbutbe

C:\Users\Admin\AppData\Local\Temp\6A1A.exe

C:\Users\Admin\AppData\Local\Temp\6A1A.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp" /SL5="$9011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211035103.log C:\Windows\Logs\CBS\CbsPersist_20231211035103.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\7BF5.exe

C:\Users\Admin\AppData\Local\Temp\7BF5.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CB0F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CD9F.bat" "

C:\Users\Admin\AppData\Local\Temp\D935.exe

C:\Users\Admin\AppData\Local\Temp\D935.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\taskeng.exe

taskeng.exe {3D97DE9E-7C0F-4D94-A127-818537EC859C} S-1-5-18:NT AUTHORITY\System:Service:

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2100-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2100-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1364-1-0x0000000002490000-0x00000000024A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52D1.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/3052-12-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/3052-17-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/3052-18-0x0000000007460000-0x00000000074A0000-memory.dmp

memory/2504-22-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Roaming\fgbutbe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\fgbutbe

MD5 fa42753a5fe2e60076476da32fcfaf01
SHA1 8147938ec14fc596c55d1819f8e2cb3d92991ac5
SHA256 22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
SHA512 e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1

memory/1364-23-0x0000000002E60000-0x0000000002E76000-memory.dmp

memory/2504-24-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3052-27-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/3052-28-0x0000000007460000-0x00000000074A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6A1A.exe

MD5 a601de830d94990dc177ab1272fd367d
SHA1 c40ef6cc692347656c92e9f3882785c2fbe9ad7a
SHA256 7e9ff7c5c7ec9b5833b17b7ff2308cda43c43e1e8c7df0733155d3585fb08272
SHA512 a4d1ef0557bdc6efee6000af1d0ab67e69a4e0cf897c9e26aaefc0d0e0a529c72b363a3799bf33d6079d54a2ea92119945905eb96bd801361a29f127d5a3bff8

C:\Users\Admin\AppData\Local\Temp\6A1A.exe

MD5 9ee3473933e8b564e00ca82f048c4b07
SHA1 9591da701a5ae80ff5a08172c2eca777d66663c1
SHA256 7b36c38b2eb717ef8edd866149fc49944e404f65e0600c3ce7020637a5f341f9
SHA512 a54d3735736891c00346d31edccba3895e0c008e5035e3886818843b4b10c08c38407badb456eea123b22e4ce4e23c0238e113b90e8548dbe1fdc311522ac246

memory/2024-36-0x0000000000B10000-0x0000000001FC6000-memory.dmp

memory/2024-35-0x0000000074C00000-0x00000000752EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b1f5896e60f94e9e14bed0ec110fb2a5
SHA1 879d68827d6fc17a4c1813a70c3f5902c5959103
SHA256 b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c
SHA512 dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a7423abfff1f8d14e1be346efe9a4662
SHA1 db373ffcfc944dd56b7f4f0fd8ad11593ce5083a
SHA256 55f365ef9c8576b8d2d29017b8ba4a2634da7d87cc57cc5737821c3b199b06c0
SHA512 ced4ef9ded59b90821fe418dfc8c36cef4b0f777a44e96b5c1a494ac158ec00e2d22fea95b5c431b1bc60e3952d5bf0954fe8da2702e17df3459cb9912ebb89b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f3c44a4d66e8b7d35cd7da2a94ed3380
SHA1 e541832fe101313b0b3dfc50ae42b4307df99c65
SHA256 9e867ee9455197e56be394241e44d923099f5e333b7c402dcb7e82b0b13276f1
SHA512 80f76ce722b7f919acca3397212a8016ee0b95bf7956d664525fe11c2317cd2b2a61e967864651a12b634f2f60106c8c66e1d57768200aab9693a71fd29d953c

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 50c4b16c15ad6674f4023fcc419481b3
SHA1 88fba88432f9dced1f976e88620f67e23cd888bc
SHA256 fda3ff323a53c521e8a616177e3fe15c670b95fe5b677ff76992a54d6d36bd8e
SHA512 2a8f0a7f6fbee8cbb8ae1eb352ff676067c5e7a9a581930b975e35e556947d98fb4b02582960403c6326c65ad1307d6800a6b1ec2a310cc4e51794452176bfe9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ede27966b040018f4726c9a734ffc775
SHA1 9e75616e9dc0652dfb7848695e52ac23d870f0d4
SHA256 b5a1ffa5d39de6281a961b59b15912a5b520c170de0d6f14c8fc7fc492fb622e
SHA512 566c39669b6950a3783aa2feb2eca1e5a5bd297277f187ac0369841c4dbe6e4c5293bceda1728b37717518be6edc0738605d0b8214b7a031be1da32c0959084e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1f583d3268e4037f4f61ed68d6275378
SHA1 158f407259f96312df178db87e55cf596b4d843d
SHA256 06122b3325c89fa1c4d0c2e8e411ed2431a504cbf611185e8bb15b8d2c22358b
SHA512 d3d0109221f40fe13ca4d2ce22e7af7259d7c8216d95a3bc387cf362f036d1f636ee088aee22155be15d2555318181ffa366c5d93fa7a93318378049328de8dc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 de94b869d3c21138e5d63a0dd2c33302
SHA1 0993f5acb8cf309e3cc916b63afc55c44aa6a582
SHA256 9a7c97256092e37d1c5af6b1ba4495a9abba0199ddeec859e48d977237bf4049
SHA512 9977dc425d2861147ed684a97f1c3f62b23e5fed26c16b5fee73c1234711d0348687e26a7ac6023a730cc8a74a592113869f0e903262236e8fe959ec566295f8

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1c7fdee80b7baedc4fbf1f0a47da80ef
SHA1 f163135e1f52d3caf085d92cc9d98bc6939bb0d4
SHA256 d43ef0afb687874f209388eb487b0c2284dae3ad23fd2f6e70f67d75ade5c779
SHA512 dd91fddff19aafd68aeccc1db74cd3b5e3054ec0454b5985be0faf9719ae258e04ab89c3743458339dd67c0723803dc9e580d84aa71f6ba9bbfd48cf332cca10

memory/268-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1892-109-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2108-110-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/1504-84-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp

MD5 4c95c0ee722999ef724d807359996467
SHA1 907196a6be77b4638d2ac810434ad774a5a51dea
SHA256 80783cd58ab0ef35f42798ba909387073a83f5f6e1ac411c6809809df4aaabda
SHA512 f2bad3d2e3555de3fb3c9d3456271a1312d5d16bf4ee05bd48805a9e9b28a4f4ec65ab7b4665f94ddd9f515f12c3fe9b91a0c4745ad8c4fed83d65d0c10a40a9

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 82462704664957f634f919d78ea9a36b
SHA1 c2a8e0d0e4b459ebcc5fbd639e88ebabb25ad44f
SHA256 8a087b306ae27036a5590826d70ccc234f2e406316b68284b3b0be15ada1d73e
SHA512 2afc84af3f7abfa6d48069cc04e45a799c8bc9ccb9157184db67ff3b4436a8ea4c90ad4b2637267dc9941670978634004fd0f582535ff31d64301dbacbac08b8

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/2108-115-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/2108-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2024-117-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/2108-116-0x0000000002B30000-0x000000000341B000-memory.dmp

memory/2280-127-0x0000000000230000-0x0000000000239000-memory.dmp

memory/784-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2280-126-0x0000000000902000-0x0000000000915000-memory.dmp

memory/784-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/784-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2108-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 e6241f5297af91becf2fea5991c56d0b
SHA1 326a4970df9f25011bd5304d2ec23e36b350ec60
SHA256 4738992519f563fad90b80038dc98b5e502a9615a4386b21618c75b98a5879f8
SHA512 99f7928ff1326ccb53e1c06c819dcef42e6f4eeca80d89902436c376783239e561a45974a1ad8091d036a55aeb1defa28e3e0177e1db2bb826d58c72c11fcd88

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 460bb584cd9d029a6a70ecdfe339628d
SHA1 f77d5e1ef82533bb24f0d80e27d74d7505f01769
SHA256 833e3f40782ac38f639a56a2f24d17a1ae48888fe6a743e3064b504b26776368
SHA512 fe05f3292abe9f72bf48776ef081d8b82916d313833f4eb6c45c1c2d0ecc901078a66c140531ccff57710ae2651c7b6e8146af892498c54253da7158c18b42c9

memory/2108-131-0x0000000002B30000-0x000000000341B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7BF5.exe

MD5 672d24af871ba06c83af5fad0cf975be
SHA1 e1a16b95b56a59f77e09a3452a85789a25d7ce08
SHA256 e01d662d5b57da949c5eb97c4dd14d4f1c13e0a2908fe3b75447c0fc7f23977b
SHA512 5bb65a4f2d7c6da940c57918efa2d8701dab936e30825e785ab1191146eb31ad803c9391b98cb7b5aa61749d3bebb20baee789066bc3c1fb2c587ceb2eb58591

C:\Users\Admin\AppData\Local\Temp\7BF5.exe

MD5 d7067e1564ca6bc62c0cb16d273ea85d
SHA1 00e5984ebf06b7054ae12125682e1c9fc64090ab
SHA256 96a925791a05e227b33781f2ff174d9a114e523811a61c7ad32a99a805c2c2e1
SHA512 68b8694026bb4e2e5407f4c17149804f2f7dd991f35dbc5c91ac6ac3ca2c5b72cb8714732addc86a4504c9a36524ec26847c77d6f7e2d65cf7df81f951e8afc7

memory/936-138-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/936-137-0x00000000011A0000-0x00000000011DC000-memory.dmp

memory/936-139-0x00000000072D0000-0x0000000007310000-memory.dmp

memory/888-140-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/888-141-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/1504-144-0x0000000000240000-0x0000000000241000-memory.dmp

memory/888-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/268-143-0x0000000000400000-0x0000000000414000-memory.dmp

memory/888-142-0x00000000029F0000-0x00000000032DB000-memory.dmp

memory/888-155-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/888-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 9f80c8f7d9a720cb89145249e1f58cd4
SHA1 81a7c7c3968351734888dbfa5e63241851f29f87
SHA256 e20533bad16492feec01690a7b6fadb7eb22d97ff48acdd983924a23a3f57937
SHA512 3180d675b33164e869777db14960e1574a0f12e4c244d7b286316f3cff351496194138cd296fad4248436957fba49b9cddd5c1f0ffa80fceaecae04d335a55a3

memory/784-157-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1364-156-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

memory/1888-161-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/1888-162-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/1888-164-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b2f0514b31cd13c4bcf055245d18f1f2
SHA1 abbdd94133d539f2bbb0de5ab235824ba2ac5594
SHA256 23aa14e2439a25fbe88d08cf93c352d4be150eb9a8e950b48159b2759f78c729
SHA512 e1506a79fb6dff575d54f35a4342e2519a24d24d9ad42030b947d34e8819e149ed9dd964af23a55037ca07c26521e1877da867917398a1c3256c94df56472f1e

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 f8f2429bbac628b0f19bb92071fa4bad
SHA1 704efb4e38b7dbcb728e5e3d02e81358017a9fd9
SHA256 c36cbf65b2767e1872bb20ddc75d103bb0bd922a54ad809919e85ed965c329e0
SHA512 81fd5144bb6d29451128432437765b2a774cf04a636cd80a6b17db6bd98a05c5ab51319e10175b4daa56a23da21ff1eaa81cdba89f19ef45b8a1202a7a99d090

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 9ae80454e6835f165d4e3cf311a5851a
SHA1 51564bccd57fdffb7393f58fbcc237152a33dc80
SHA256 9adade4c856d5bfed2ff38172250a158371c517a9ffe748f0045974b293f60b5
SHA512 bd75a7b2e7cf546d28ba8b28642e3e362bc03cbbcba0cf9a73551f7b0d0bf5fab94e5fe3ebf38a3c39a0598119c3cef7848a9f47b60150bf4716aae874e66b29

memory/1656-184-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 00caf72a82bc8125478a6d437f8c3277
SHA1 cf76fb1885daa37cc47cc697ada2992670ae2de4
SHA256 3b8c36a9392b2b97aee105dcdcb4a807c6478b8e421c87576c3977063a89ebc7
SHA512 5ea2dbed90dba7ee707b0b3e79f802ee8bc6e36d87181971ee9ec93275f1b5a9915c1fcad2f42cd0f38ec55345a82da7e956a62c98f6421e6bf3b942df197c19

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1c588ccfcdd5c6356b90df4e298226cd
SHA1 f0a4c0ea40da0dd4f1f440883b8c95c5fa6b8e01
SHA256 beb2e8ca9c80365688f16723da40d04c56b05f9ae997e5a993d705ac31fc74cf
SHA512 fd645272b0b50a4f7b641416282918239f4a381833a94a22fab645f5ab47faaf58854b890d0ed9bfd0da4a9a56624ccf4bf72d585bc9c56fc53ce39c84981f93

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ebe52ef53e56c29beae23daae11d9e85
SHA1 13473142613442ad2e2689907a73e38154c2ba4b
SHA256 5df4c77eb231c37704946f30baddb331dd4a35d0fa47c50765162e20826a208c
SHA512 4d3339d26cdc8557dfdfc3b5fce685b1f8ef782c9372a5ea31c7875e9a288409dd26b9d824c80d01918c584e543a4d308b513e5da601a291621b35a3cb57f4f3

memory/1656-176-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 2addefc23d6e8a169ba4581f5f0727c3
SHA1 0fea69819982e4e67930209bfd7670a9fa72eb9b
SHA256 36136df91469f33bd2b2235026cd26c3267c333b20d72ba1ec1cbba239561bdb
SHA512 ff8c9c447037b917074f5ed54661827a7026f6d0d1c48f9b623574436115995c0230013b3fb4a55a1d6d977a6802dc16e6c154981289a72e159d4b5d2665c3d8

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 934f21505697bd7f5247b8f75c2b7d6c
SHA1 b32e8340684569f4be54c79e93f8b458c3fc5c9c
SHA256 f77d3b18a869e50afdd38c4e61648f3561b955f387862eb0f707667b152e3b32
SHA512 1657ac7cf8ac827bdb3b6f3d7f5f3615e1d9c9cd9c30bfa4aaed8ab26933f2d875cec166149a2e8875162befa7117f6db702efbfb64bc89017ec3050b819a2e3

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 08ddd6c62735a99e93862a37b266a44a
SHA1 ded8dbff16f3243ff2fe850f35ecc48439f487e3
SHA256 2ac1ce6c8269791d476e5ea99800993bac2f61d6dc79d2db7b80443e5a0409fe
SHA512 69bfa6529da64e2eaec7213f92e1960749c6e27b87de9f66a128da2a25c7fe5eb83517237b37015a025864260907c7cae5783c3da8fc14316149b9b5bf591c9c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 ffb4f58500abb95e77ea57cfdec0787c
SHA1 398379259440491a4f63b38777f064b1afaedea4
SHA256 90dc81b02f873102ec50bab1b87fa9ca6c2b39fd178906d6c35fd770c8da107c
SHA512 889d73d7d9d82060c346cc43a5a4ac2d32e55c53c629873926e36d9bb0f8bfcd2992750b837b46496c898577172d58c300a987f7eb8f9348a9b26719850b4b50

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 ab69c4c4f2a4cb1639193eda360e9b02
SHA1 f64bf39052207a29696c08187c3f93926f1325e5
SHA256 720f92eea10156eff606fb38ca1c77ec386674851e98756a3a2e116b7103c616
SHA512 e0f0604ee712f4182d2015a653eaca9964e952f9010abf81b7408536fcba84d4cf5b39c11f76d3a01c73d22084b7d54f201d44b3cb04935f48f0fb2d1ae5bb7d

memory/3052-194-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/1504-196-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1892-197-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1676-198-0x000000013FDA0000-0x0000000140341000-memory.dmp

memory/936-199-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/936-221-0x00000000072D0000-0x0000000007310000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarAB23.tmp

MD5 815f104252f75b775f32e3e294f9b755
SHA1 45b69ab912901c2a89c27e02c4d7f4a3561b14b4
SHA256 343541d8f72a2958e07c3e7227264dd042a21e4f7b8bb29aa91b60d8d4afcc71
SHA512 eef61f4a5fc6cac89ab59f62b862eb94ee42a2c21940a011c87c2f0fbc6c14009ee809c6d176c27d16f0d02d2ac66f2820029634a4dbf25a4a30ec998fd0f13a

memory/1888-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1888-259-0x00000000026F0000-0x0000000002AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB0F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1888-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1888-278-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D935.exe

MD5 ba69206425a34c8d0db8eb66384f4fe9
SHA1 46a574be345e0a6fea54a8603add9f5d22c2d228
SHA256 608971844800fefc14b1720d8f4b08f60cf20b272bc0e7d0a66eb76f781d2210
SHA512 af2999b555f5863e7189083e14a21431783756735acbb0714c4580aa4ea569477eff501c698f0cbea1b60c7d54eb9d942ede008fc1516e4872d72adc2c53ad2b

memory/2812-285-0x0000000000110000-0x00000000006C2000-memory.dmp

memory/2812-287-0x0000000005250000-0x0000000005290000-memory.dmp

memory/2812-286-0x0000000074C00000-0x00000000752EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D935.exe

MD5 9df2a854b20d3c23c2ca3394ea37c3f4
SHA1 eaf713ac5e5d12f274472d9f03e6a068f47a04a8
SHA256 aacaf8f7a44f920100b281318c15b65b84a65e4a11e20f44d514cd22b6644378
SHA512 b53b94e3267b699f7db302e508b1d0015af5c83cf42949798311142366b444805f2dad89008617ddc99230e67d01d03983e873d026fa0917d7a50819dd1abc9a

memory/1676-291-0x000000013FDA0000-0x0000000140341000-memory.dmp

memory/624-297-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/624-299-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/624-303-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/624-304-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/2132-313-0x0000000001E40000-0x0000000001E48000-memory.dmp

memory/2132-318-0x00000000029A0000-0x0000000002A20000-memory.dmp

memory/2132-319-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

memory/1676-322-0x000000013FDA0000-0x0000000140341000-memory.dmp