Analysis Overview
SHA256
22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
Threat Level: Known bad
The file fa42753a5fe2e60076476da32fcfaf01.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Smokeloader family
RedLine payload
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
Unsigned PE
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:49
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:49
Reported
2023-12-11 03:51
Platform
win10v2004-20231130-en
Max time kernel
149s
Max time network
105s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9877.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sfsbfug | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sfsbfug | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sfsbfug | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sfsbfug | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sfsbfug | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3384 wrote to memory of 656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9877.exe |
| PID 3384 wrote to memory of 656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9877.exe |
| PID 3384 wrote to memory of 656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9877.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe
"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"
C:\Users\Admin\AppData\Local\Temp\9877.exe
C:\Users\Admin\AppData\Local\Temp\9877.exe
C:\Users\Admin\AppData\Roaming\sfsbfug
C:\Users\Admin\AppData\Roaming\sfsbfug
C:\Users\Admin\AppData\Local\Temp\1583.exe
C:\Users\Admin\AppData\Local\Temp\1583.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\192D.exe
C:\Users\Admin\AppData\Local\Temp\192D.exe
C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp" /SL5="$C0062,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 328
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\6BD3.exe
C:\Users\Admin\AppData\Local\Temp\6BD3.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2768-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2768-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3384-1-0x0000000002B50000-0x0000000002B66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9877.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Roaming\sfsbfug
| MD5 | fa42753a5fe2e60076476da32fcfaf01 |
| SHA1 | 8147938ec14fc596c55d1819f8e2cb3d92991ac5 |
| SHA256 | 22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a |
| SHA512 | e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1 |
memory/3384-14-0x00000000029D0000-0x00000000029E6000-memory.dmp
memory/3632-17-0x0000000000400000-0x000000000040B000-memory.dmp
memory/656-19-0x00000000013B0000-0x00000000013EC000-memory.dmp
memory/656-24-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/656-25-0x00000000086C0000-0x0000000008C64000-memory.dmp
memory/656-26-0x00000000081B0000-0x0000000008242000-memory.dmp
memory/656-27-0x0000000008190000-0x00000000081A0000-memory.dmp
memory/656-28-0x0000000008170000-0x000000000817A000-memory.dmp
memory/656-30-0x0000000009690000-0x0000000009CA8000-memory.dmp
memory/656-32-0x0000000009660000-0x0000000009672000-memory.dmp
memory/656-31-0x000000000B020000-0x000000000B12A000-memory.dmp
memory/656-33-0x000000000AF50000-0x000000000AF8C000-memory.dmp
memory/656-34-0x000000000AF90000-0x000000000AFDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1583.exe
| MD5 | 1ea753c26a9a9b36a1ea3eb6eef74792 |
| SHA1 | 5abc373a4ac4f2f374e9bee21ee1e2d104b2a4a3 |
| SHA256 | 28352504c842004725e1f53fc4e65e16065642452de646917dc606ddcfd9f970 |
| SHA512 | a9a62165d42ed8d380cdfe887f29d1028c2e96f7dc5f8cab38e2398f842eaf7c7f8191a454efae0280782dfddef2d9c7a8b142cce5008c346930d181ddbd5c42 |
C:\Users\Admin\AppData\Local\Temp\1583.exe
| MD5 | 6d85259c78b1d653d7e077ef515fde6e |
| SHA1 | fb27c5cf8c58199f67ee2b3caecfd3ee5bde86d0 |
| SHA256 | 847f4898f2adef5839ff24d7d9ea9da008dcadd4d620daf3c9321ff1b7cfdafc |
| SHA512 | 039d83cc5517be741eb120cef3bd77936742c25a23b44e7f9514678d99dd664c04842c2b62718b544053836d26bc6dfa7e4ac17eaaf3ae491753ffc986a50cdd |
memory/3328-40-0x0000000000310000-0x00000000017C6000-memory.dmp
memory/3328-39-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/1436-78-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2848-84-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4952-99-0x0000000000180000-0x00000000001BC000-memory.dmp
memory/3328-98-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/4952-97-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/4952-130-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/2072-203-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/656-254-0x0000000008190000-0x00000000081A0000-memory.dmp
memory/1528-257-0x0000000000400000-0x0000000000785000-memory.dmp
memory/1528-256-0x0000000000400000-0x0000000000785000-memory.dmp
memory/656-252-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/2068-251-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2068-247-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2068-248-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3368-260-0x0000000002E30000-0x000000000371B000-memory.dmp
memory/3368-259-0x0000000002A30000-0x0000000002E2A000-memory.dmp
memory/3368-261-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4380-264-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1436-263-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2848-266-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2512-268-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/2512-270-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/2512-273-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/2512-284-0x0000000006380000-0x00000000066D4000-memory.dmp
memory/2512-274-0x00000000060D0000-0x0000000006136000-memory.dmp
memory/2512-285-0x00000000067C0000-0x00000000067DE000-memory.dmp
memory/4952-272-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/2512-271-0x00000000057F0000-0x0000000005812000-memory.dmp
memory/656-269-0x0000000009130000-0x0000000009196000-memory.dmp
memory/2512-267-0x0000000005930000-0x0000000005F58000-memory.dmp
memory/2512-265-0x00000000031D0000-0x0000000003206000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e531d4b3fe89b853c46bc13fe348d06f |
| SHA1 | 75fa013b9dc494df46a0b1227bcf7a59456a211b |
| SHA256 | 9c59b6ccdce18585f923ef2aeb39b3fc1d5bf47de74134629bf542248ec8cb68 |
| SHA512 | 5a3e06a7e1ebdb627e88c79dc1854423e55e4b2f0ff0a715d149d5e416f5a3ab59874cb7aa43ca1589909e004197f01120536bbb8c430c208ccf7917b45edbad |
C:\Users\Admin\AppData\Local\Temp\192D.exe
| MD5 | 52a959ca162a679855ffd3f5c08ec9a0 |
| SHA1 | d28813ea9b81c639ace82f812370fc1541ec9ede |
| SHA256 | bd91ce0d9b7621bbb0abaffb2085a6b53a0ff0c21a002f90cf11519f0a39fb3e |
| SHA512 | 4d33183acf674816bcb4760d5837bad1922d5bedc8f20c5ceff4d6c754b04c15d942fb448047eb96dbe6a1d0e3cb83c062848aebdf859bc3a06b820962eeaf33 |
C:\Users\Admin\AppData\Local\Temp\192D.exe
| MD5 | 74461137d38386f0473fbcb475d0fc37 |
| SHA1 | 9f849998554b4584a172dfc4e99d84454cd32323 |
| SHA256 | 59ba7fbb6e1f42ac28150728de37110b881ffd5cdabc359768566c4b1806f722 |
| SHA512 | d1e97e73886dc2bf11a076490f6665cca6b4716c767a61bf3e80af7b4bb1e75884df7b8aebb5557d23cd014c5d35b974f9609d71d855eb899be4945f25d9bae7 |
memory/2512-286-0x0000000006D30000-0x0000000006D74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | a3d098610415db87bc6cee13cda24803 |
| SHA1 | bfed2811ab2e0a6348eaccd168fc7ffc3a9c3d92 |
| SHA256 | f722cb4a916da1dae426e44f98a359eee43014d379b9c23118120c144cc52301 |
| SHA512 | 2d7be3981e1c4dd634ebd377f6b7cb866d00be726e87cd66348e3bdd55916b848a3b7fbca2bbb581b4f70103f669dbe1479a4beaeb11ffeb4646d1057b518361 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 02ab342dc31ba5c94685b020407a9bdd |
| SHA1 | eee928e482e81814c6c4d72df2e3cc61d4e1477a |
| SHA256 | 4514276540e9290b92cbf2c08ee6b0d522769ddc22812ce2baad167dd8a71e8d |
| SHA512 | ceb607b6b034e2529239372709862b612483205fa2bb69d398e1800ad8a8fafd44640260deb87ef2f0c511a1cdbcd7a1aa9acb9aca18f578907caaede55a7375 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 713258283d098fdc6a26408edc9dca13 |
| SHA1 | 5784f69076c2057f21b963a9e13fbd186fb1f308 |
| SHA256 | 7a268aff850715b2f1aef618c46512c531885248c1a05aea326ddd13bb39eea0 |
| SHA512 | 3af46480eb917f37bcb85c5fb046debe24d86f5804227388e81af9d351604d33b4bfce2fe034f8f0a60e2ac1088134236f4053681a844b4fe5b033657065929f |
memory/2512-287-0x0000000007AD0000-0x0000000007B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d8d8daa14e7259290e728e98ff6bfbbb |
| SHA1 | 79627f6e255582d8eee34ada3c4377054bfa3ea1 |
| SHA256 | 21ceca5b4af638a7f8d6c1a0b7ce9b5ca459b28aef1b7d5f9d80381d09ad7a43 |
| SHA512 | bd326ddd695efa2420ee9940b9bce99400579b1b17a603358ca7e33f18275724d71023aeb99e786719260c2b50cfac4674aa996bd583e92c4545188af20737f5 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e33cadf4b3ae6a9d47c1f8357631426d |
| SHA1 | 6f7f9ee4e9d44d2e2829781034e9b3365ef21819 |
| SHA256 | be0de1f5f6d9c900cee889ff035623793aa11eb56717fc395f7daa0a6a2fdc0c |
| SHA512 | a8f384ba81c1f6e4ceada53ec23fb39bb28f9d259f73dcbbcfbf15cb20eb526a740378c7e2d90a9cdd915c2124f88d51af212706e7060b10bdc8a72bac2666c9 |
memory/2512-289-0x0000000007B70000-0x0000000007B8A000-memory.dmp
memory/2512-288-0x00000000081D0000-0x000000000884A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 7776759ea28041a3b23799da25b042d7 |
| SHA1 | 145ad923430023052617a70a957d96dcba1eb692 |
| SHA256 | db3491d1d1017660e5626ef5173a1d117d852a934341073ae67040e17fe779e0 |
| SHA512 | 4d4100e896f9c1b4156ff0f0028765d10dfe2a505d7cbcb273189751231a77921ff5a34448fd7a15809d147185624478565eb926be089264af89e6d7ce3f6308 |
memory/4952-290-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/2512-303-0x0000000007D70000-0x0000000007D8E000-memory.dmp
memory/2512-305-0x0000000007D90000-0x0000000007E33000-memory.dmp
memory/2512-306-0x0000000007E80000-0x0000000007E8A000-memory.dmp
memory/2512-304-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/2512-307-0x0000000007F90000-0x0000000008026000-memory.dmp
memory/2512-308-0x0000000007E90000-0x0000000007EA1000-memory.dmp
memory/2512-293-0x000000006C5C0000-0x000000006C914000-memory.dmp
memory/2512-292-0x000000006DCF0000-0x000000006DD3C000-memory.dmp
memory/2512-291-0x0000000007D30000-0x0000000007D62000-memory.dmp
memory/2512-310-0x0000000007EF0000-0x0000000007F04000-memory.dmp
memory/2512-312-0x0000000007F20000-0x0000000007F28000-memory.dmp
memory/2512-311-0x0000000007F30000-0x0000000007F4A000-memory.dmp
memory/2512-309-0x0000000007ED0000-0x0000000007EDE000-memory.dmp
memory/2512-315-0x0000000074750000-0x0000000074F00000-memory.dmp
memory/1528-318-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4992-319-0x0000000002BA0000-0x0000000002FA5000-memory.dmp
memory/3384-323-0x0000000002B70000-0x0000000002B86000-memory.dmp
memory/4380-339-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1436-361-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2072-364-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3460-363-0x00007FF76CDD0000-0x00007FF76D371000-memory.dmp
memory/1528-392-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4992-464-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1528-546-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4776-547-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 879f6daa64e7c5cd0c5407b3335f1a08 |
| SHA1 | 1b90e48b2db46ca06ecaa783b49afa596c69aaef |
| SHA256 | 0260e173818cf121d0b744131756d7799228508cd38af9a033f4bdf27f927728 |
| SHA512 | 51ca18517e520c98c4064f42d8ed2aba05318392ce11f89705dec7eab6c624790f561a9a3b09af4398ac2377787a4ac552eda66df116bb9ee1432d3c924cfdfa |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:49
Reported
2023-12-11 03:51
Platform
win7-20231130-en
Max time kernel
127s
Max time network
101s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52D1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fgbutbe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6A1A.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fgbutbe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fgbutbe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fgbutbe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fgbutbe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\52D1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe
"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"
C:\Users\Admin\AppData\Local\Temp\52D1.exe
C:\Users\Admin\AppData\Local\Temp\52D1.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {912C0FEC-7D5C-497F-AF98-EF07F264DDF5} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\fgbutbe
C:\Users\Admin\AppData\Roaming\fgbutbe
C:\Users\Admin\AppData\Local\Temp\6A1A.exe
C:\Users\Admin\AppData\Local\Temp\6A1A.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp" /SL5="$9011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211035103.log C:\Windows\Logs\CBS\CbsPersist_20231211035103.cab
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\7BF5.exe
C:\Users\Admin\AppData\Local\Temp\7BF5.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CB0F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CD9F.bat" "
C:\Users\Admin\AppData\Local\Temp\D935.exe
C:\Users\Admin\AppData\Local\Temp\D935.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\taskeng.exe
taskeng.exe {3D97DE9E-7C0F-4D94-A127-818537EC859C} S-1-5-18:NT AUTHORITY\System:Service:
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2100-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2100-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1364-1-0x0000000002490000-0x00000000024A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52D1.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/3052-12-0x0000000000280000-0x00000000002BC000-memory.dmp
memory/3052-17-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/3052-18-0x0000000007460000-0x00000000074A0000-memory.dmp
memory/2504-22-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Roaming\fgbutbe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\fgbutbe
| MD5 | fa42753a5fe2e60076476da32fcfaf01 |
| SHA1 | 8147938ec14fc596c55d1819f8e2cb3d92991ac5 |
| SHA256 | 22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a |
| SHA512 | e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1 |
memory/1364-23-0x0000000002E60000-0x0000000002E76000-memory.dmp
memory/2504-24-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3052-27-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/3052-28-0x0000000007460000-0x00000000074A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6A1A.exe
| MD5 | a601de830d94990dc177ab1272fd367d |
| SHA1 | c40ef6cc692347656c92e9f3882785c2fbe9ad7a |
| SHA256 | 7e9ff7c5c7ec9b5833b17b7ff2308cda43c43e1e8c7df0733155d3585fb08272 |
| SHA512 | a4d1ef0557bdc6efee6000af1d0ab67e69a4e0cf897c9e26aaefc0d0e0a529c72b363a3799bf33d6079d54a2ea92119945905eb96bd801361a29f127d5a3bff8 |
C:\Users\Admin\AppData\Local\Temp\6A1A.exe
| MD5 | 9ee3473933e8b564e00ca82f048c4b07 |
| SHA1 | 9591da701a5ae80ff5a08172c2eca777d66663c1 |
| SHA256 | 7b36c38b2eb717ef8edd866149fc49944e404f65e0600c3ce7020637a5f341f9 |
| SHA512 | a54d3735736891c00346d31edccba3895e0c008e5035e3886818843b4b10c08c38407badb456eea123b22e4ce4e23c0238e113b90e8548dbe1fdc311522ac246 |
memory/2024-36-0x0000000000B10000-0x0000000001FC6000-memory.dmp
memory/2024-35-0x0000000074C00000-0x00000000752EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b1f5896e60f94e9e14bed0ec110fb2a5 |
| SHA1 | 879d68827d6fc17a4c1813a70c3f5902c5959103 |
| SHA256 | b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c |
| SHA512 | dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | a7423abfff1f8d14e1be346efe9a4662 |
| SHA1 | db373ffcfc944dd56b7f4f0fd8ad11593ce5083a |
| SHA256 | 55f365ef9c8576b8d2d29017b8ba4a2634da7d87cc57cc5737821c3b199b06c0 |
| SHA512 | ced4ef9ded59b90821fe418dfc8c36cef4b0f777a44e96b5c1a494ac158ec00e2d22fea95b5c431b1bc60e3952d5bf0954fe8da2702e17df3459cb9912ebb89b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f3c44a4d66e8b7d35cd7da2a94ed3380 |
| SHA1 | e541832fe101313b0b3dfc50ae42b4307df99c65 |
| SHA256 | 9e867ee9455197e56be394241e44d923099f5e333b7c402dcb7e82b0b13276f1 |
| SHA512 | 80f76ce722b7f919acca3397212a8016ee0b95bf7956d664525fe11c2317cd2b2a61e967864651a12b634f2f60106c8c66e1d57768200aab9693a71fd29d953c |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 50c4b16c15ad6674f4023fcc419481b3 |
| SHA1 | 88fba88432f9dced1f976e88620f67e23cd888bc |
| SHA256 | fda3ff323a53c521e8a616177e3fe15c670b95fe5b677ff76992a54d6d36bd8e |
| SHA512 | 2a8f0a7f6fbee8cbb8ae1eb352ff676067c5e7a9a581930b975e35e556947d98fb4b02582960403c6326c65ad1307d6800a6b1ec2a310cc4e51794452176bfe9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ede27966b040018f4726c9a734ffc775 |
| SHA1 | 9e75616e9dc0652dfb7848695e52ac23d870f0d4 |
| SHA256 | b5a1ffa5d39de6281a961b59b15912a5b520c170de0d6f14c8fc7fc492fb622e |
| SHA512 | 566c39669b6950a3783aa2feb2eca1e5a5bd297277f187ac0369841c4dbe6e4c5293bceda1728b37717518be6edc0738605d0b8214b7a031be1da32c0959084e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1f583d3268e4037f4f61ed68d6275378 |
| SHA1 | 158f407259f96312df178db87e55cf596b4d843d |
| SHA256 | 06122b3325c89fa1c4d0c2e8e411ed2431a504cbf611185e8bb15b8d2c22358b |
| SHA512 | d3d0109221f40fe13ca4d2ce22e7af7259d7c8216d95a3bc387cf362f036d1f636ee088aee22155be15d2555318181ffa366c5d93fa7a93318378049328de8dc |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | de94b869d3c21138e5d63a0dd2c33302 |
| SHA1 | 0993f5acb8cf309e3cc916b63afc55c44aa6a582 |
| SHA256 | 9a7c97256092e37d1c5af6b1ba4495a9abba0199ddeec859e48d977237bf4049 |
| SHA512 | 9977dc425d2861147ed684a97f1c3f62b23e5fed26c16b5fee73c1234711d0348687e26a7ac6023a730cc8a74a592113869f0e903262236e8fe959ec566295f8 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1c7fdee80b7baedc4fbf1f0a47da80ef |
| SHA1 | f163135e1f52d3caf085d92cc9d98bc6939bb0d4 |
| SHA256 | d43ef0afb687874f209388eb487b0c2284dae3ad23fd2f6e70f67d75ade5c779 |
| SHA512 | dd91fddff19aafd68aeccc1db74cd3b5e3054ec0454b5985be0faf9719ae258e04ab89c3743458339dd67c0723803dc9e580d84aa71f6ba9bbfd48cf332cca10 |
memory/268-70-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1892-109-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2108-110-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/1504-84-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GE7RL.tmp\tuc3.tmp
| MD5 | 4c95c0ee722999ef724d807359996467 |
| SHA1 | 907196a6be77b4638d2ac810434ad774a5a51dea |
| SHA256 | 80783cd58ab0ef35f42798ba909387073a83f5f6e1ac411c6809809df4aaabda |
| SHA512 | f2bad3d2e3555de3fb3c9d3456271a1312d5d16bf4ee05bd48805a9e9b28a4f4ec65ab7b4665f94ddd9f515f12c3fe9b91a0c4745ad8c4fed83d65d0c10a40a9 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 82462704664957f634f919d78ea9a36b |
| SHA1 | c2a8e0d0e4b459ebcc5fbd639e88ebabb25ad44f |
| SHA256 | 8a087b306ae27036a5590826d70ccc234f2e406316b68284b3b0be15ada1d73e |
| SHA512 | 2afc84af3f7abfa6d48069cc04e45a799c8bc9ccb9157184db67ff3b4436a8ea4c90ad4b2637267dc9941670978634004fd0f582535ff31d64301dbacbac08b8 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/2108-115-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/2108-118-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2024-117-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/2108-116-0x0000000002B30000-0x000000000341B000-memory.dmp
memory/2280-127-0x0000000000230000-0x0000000000239000-memory.dmp
memory/784-128-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2280-126-0x0000000000902000-0x0000000000915000-memory.dmp
memory/784-124-0x0000000000400000-0x0000000000409000-memory.dmp
memory/784-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2108-130-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | e6241f5297af91becf2fea5991c56d0b |
| SHA1 | 326a4970df9f25011bd5304d2ec23e36b350ec60 |
| SHA256 | 4738992519f563fad90b80038dc98b5e502a9615a4386b21618c75b98a5879f8 |
| SHA512 | 99f7928ff1326ccb53e1c06c819dcef42e6f4eeca80d89902436c376783239e561a45974a1ad8091d036a55aeb1defa28e3e0177e1db2bb826d58c72c11fcd88 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 460bb584cd9d029a6a70ecdfe339628d |
| SHA1 | f77d5e1ef82533bb24f0d80e27d74d7505f01769 |
| SHA256 | 833e3f40782ac38f639a56a2f24d17a1ae48888fe6a743e3064b504b26776368 |
| SHA512 | fe05f3292abe9f72bf48776ef081d8b82916d313833f4eb6c45c1c2d0ecc901078a66c140531ccff57710ae2651c7b6e8146af892498c54253da7158c18b42c9 |
memory/2108-131-0x0000000002B30000-0x000000000341B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7BF5.exe
| MD5 | 672d24af871ba06c83af5fad0cf975be |
| SHA1 | e1a16b95b56a59f77e09a3452a85789a25d7ce08 |
| SHA256 | e01d662d5b57da949c5eb97c4dd14d4f1c13e0a2908fe3b75447c0fc7f23977b |
| SHA512 | 5bb65a4f2d7c6da940c57918efa2d8701dab936e30825e785ab1191146eb31ad803c9391b98cb7b5aa61749d3bebb20baee789066bc3c1fb2c587ceb2eb58591 |
C:\Users\Admin\AppData\Local\Temp\7BF5.exe
| MD5 | d7067e1564ca6bc62c0cb16d273ea85d |
| SHA1 | 00e5984ebf06b7054ae12125682e1c9fc64090ab |
| SHA256 | 96a925791a05e227b33781f2ff174d9a114e523811a61c7ad32a99a805c2c2e1 |
| SHA512 | 68b8694026bb4e2e5407f4c17149804f2f7dd991f35dbc5c91ac6ac3ca2c5b72cb8714732addc86a4504c9a36524ec26847c77d6f7e2d65cf7df81f951e8afc7 |
memory/936-138-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/936-137-0x00000000011A0000-0x00000000011DC000-memory.dmp
memory/936-139-0x00000000072D0000-0x0000000007310000-memory.dmp
memory/888-140-0x00000000025F0000-0x00000000029E8000-memory.dmp
memory/888-141-0x00000000025F0000-0x00000000029E8000-memory.dmp
memory/1504-144-0x0000000000240000-0x0000000000241000-memory.dmp
memory/888-145-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/268-143-0x0000000000400000-0x0000000000414000-memory.dmp
memory/888-142-0x00000000029F0000-0x00000000032DB000-memory.dmp
memory/888-155-0x00000000025F0000-0x00000000029E8000-memory.dmp
memory/888-154-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 9f80c8f7d9a720cb89145249e1f58cd4 |
| SHA1 | 81a7c7c3968351734888dbfa5e63241851f29f87 |
| SHA256 | e20533bad16492feec01690a7b6fadb7eb22d97ff48acdd983924a23a3f57937 |
| SHA512 | 3180d675b33164e869777db14960e1574a0f12e4c244d7b286316f3cff351496194138cd296fad4248436957fba49b9cddd5c1f0ffa80fceaecae04d335a55a3 |
memory/784-157-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1364-156-0x0000000002FC0000-0x0000000002FD6000-memory.dmp
memory/1888-161-0x00000000026F0000-0x0000000002AE8000-memory.dmp
memory/1888-162-0x00000000026F0000-0x0000000002AE8000-memory.dmp
memory/1888-164-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b2f0514b31cd13c4bcf055245d18f1f2 |
| SHA1 | abbdd94133d539f2bbb0de5ab235824ba2ac5594 |
| SHA256 | 23aa14e2439a25fbe88d08cf93c352d4be150eb9a8e950b48159b2759f78c729 |
| SHA512 | e1506a79fb6dff575d54f35a4342e2519a24d24d9ad42030b947d34e8819e149ed9dd964af23a55037ca07c26521e1877da867917398a1c3256c94df56472f1e |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | f8f2429bbac628b0f19bb92071fa4bad |
| SHA1 | 704efb4e38b7dbcb728e5e3d02e81358017a9fd9 |
| SHA256 | c36cbf65b2767e1872bb20ddc75d103bb0bd922a54ad809919e85ed965c329e0 |
| SHA512 | 81fd5144bb6d29451128432437765b2a774cf04a636cd80a6b17db6bd98a05c5ab51319e10175b4daa56a23da21ff1eaa81cdba89f19ef45b8a1202a7a99d090 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 9ae80454e6835f165d4e3cf311a5851a |
| SHA1 | 51564bccd57fdffb7393f58fbcc237152a33dc80 |
| SHA256 | 9adade4c856d5bfed2ff38172250a158371c517a9ffe748f0045974b293f60b5 |
| SHA512 | bd75a7b2e7cf546d28ba8b28642e3e362bc03cbbcba0cf9a73551f7b0d0bf5fab94e5fe3ebf38a3c39a0598119c3cef7848a9f47b60150bf4716aae874e66b29 |
memory/1656-184-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 00caf72a82bc8125478a6d437f8c3277 |
| SHA1 | cf76fb1885daa37cc47cc697ada2992670ae2de4 |
| SHA256 | 3b8c36a9392b2b97aee105dcdcb4a807c6478b8e421c87576c3977063a89ebc7 |
| SHA512 | 5ea2dbed90dba7ee707b0b3e79f802ee8bc6e36d87181971ee9ec93275f1b5a9915c1fcad2f42cd0f38ec55345a82da7e956a62c98f6421e6bf3b942df197c19 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1c588ccfcdd5c6356b90df4e298226cd |
| SHA1 | f0a4c0ea40da0dd4f1f440883b8c95c5fa6b8e01 |
| SHA256 | beb2e8ca9c80365688f16723da40d04c56b05f9ae997e5a993d705ac31fc74cf |
| SHA512 | fd645272b0b50a4f7b641416282918239f4a381833a94a22fab645f5ab47faaf58854b890d0ed9bfd0da4a9a56624ccf4bf72d585bc9c56fc53ce39c84981f93 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | ebe52ef53e56c29beae23daae11d9e85 |
| SHA1 | 13473142613442ad2e2689907a73e38154c2ba4b |
| SHA256 | 5df4c77eb231c37704946f30baddb331dd4a35d0fa47c50765162e20826a208c |
| SHA512 | 4d3339d26cdc8557dfdfc3b5fce685b1f8ef782c9372a5ea31c7875e9a288409dd26b9d824c80d01918c584e543a4d308b513e5da601a291621b35a3cb57f4f3 |
memory/1656-176-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 2addefc23d6e8a169ba4581f5f0727c3 |
| SHA1 | 0fea69819982e4e67930209bfd7670a9fa72eb9b |
| SHA256 | 36136df91469f33bd2b2235026cd26c3267c333b20d72ba1ec1cbba239561bdb |
| SHA512 | ff8c9c447037b917074f5ed54661827a7026f6d0d1c48f9b623574436115995c0230013b3fb4a55a1d6d977a6802dc16e6c154981289a72e159d4b5d2665c3d8 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 934f21505697bd7f5247b8f75c2b7d6c |
| SHA1 | b32e8340684569f4be54c79e93f8b458c3fc5c9c |
| SHA256 | f77d3b18a869e50afdd38c4e61648f3561b955f387862eb0f707667b152e3b32 |
| SHA512 | 1657ac7cf8ac827bdb3b6f3d7f5f3615e1d9c9cd9c30bfa4aaed8ab26933f2d875cec166149a2e8875162befa7117f6db702efbfb64bc89017ec3050b819a2e3 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 08ddd6c62735a99e93862a37b266a44a |
| SHA1 | ded8dbff16f3243ff2fe850f35ecc48439f487e3 |
| SHA256 | 2ac1ce6c8269791d476e5ea99800993bac2f61d6dc79d2db7b80443e5a0409fe |
| SHA512 | 69bfa6529da64e2eaec7213f92e1960749c6e27b87de9f66a128da2a25c7fe5eb83517237b37015a025864260907c7cae5783c3da8fc14316149b9b5bf591c9c |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | ffb4f58500abb95e77ea57cfdec0787c |
| SHA1 | 398379259440491a4f63b38777f064b1afaedea4 |
| SHA256 | 90dc81b02f873102ec50bab1b87fa9ca6c2b39fd178906d6c35fd770c8da107c |
| SHA512 | 889d73d7d9d82060c346cc43a5a4ac2d32e55c53c629873926e36d9bb0f8bfcd2992750b837b46496c898577172d58c300a987f7eb8f9348a9b26719850b4b50 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | ab69c4c4f2a4cb1639193eda360e9b02 |
| SHA1 | f64bf39052207a29696c08187c3f93926f1325e5 |
| SHA256 | 720f92eea10156eff606fb38ca1c77ec386674851e98756a3a2e116b7103c616 |
| SHA512 | e0f0604ee712f4182d2015a653eaca9964e952f9010abf81b7408536fcba84d4cf5b39c11f76d3a01c73d22084b7d54f201d44b3cb04935f48f0fb2d1ae5bb7d |
memory/3052-194-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/1504-196-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1892-197-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1676-198-0x000000013FDA0000-0x0000000140341000-memory.dmp
memory/936-199-0x0000000074C00000-0x00000000752EE000-memory.dmp
memory/936-221-0x00000000072D0000-0x0000000007310000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarAB23.tmp
| MD5 | 815f104252f75b775f32e3e294f9b755 |
| SHA1 | 45b69ab912901c2a89c27e02c4d7f4a3561b14b4 |
| SHA256 | 343541d8f72a2958e07c3e7227264dd042a21e4f7b8bb29aa91b60d8d4afcc71 |
| SHA512 | eef61f4a5fc6cac89ab59f62b862eb94ee42a2c21940a011c87c2f0fbc6c14009ee809c6d176c27d16f0d02d2ac66f2820029634a4dbf25a4a30ec998fd0f13a |
memory/1888-251-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1888-259-0x00000000026F0000-0x0000000002AE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CB0F.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/1888-279-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1888-278-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D935.exe
| MD5 | ba69206425a34c8d0db8eb66384f4fe9 |
| SHA1 | 46a574be345e0a6fea54a8603add9f5d22c2d228 |
| SHA256 | 608971844800fefc14b1720d8f4b08f60cf20b272bc0e7d0a66eb76f781d2210 |
| SHA512 | af2999b555f5863e7189083e14a21431783756735acbb0714c4580aa4ea569477eff501c698f0cbea1b60c7d54eb9d942ede008fc1516e4872d72adc2c53ad2b |
memory/2812-285-0x0000000000110000-0x00000000006C2000-memory.dmp
memory/2812-287-0x0000000005250000-0x0000000005290000-memory.dmp
memory/2812-286-0x0000000074C00000-0x00000000752EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D935.exe
| MD5 | 9df2a854b20d3c23c2ca3394ea37c3f4 |
| SHA1 | eaf713ac5e5d12f274472d9f03e6a068f47a04a8 |
| SHA256 | aacaf8f7a44f920100b281318c15b65b84a65e4a11e20f44d514cd22b6644378 |
| SHA512 | b53b94e3267b699f7db302e508b1d0015af5c83cf42949798311142366b444805f2dad89008617ddc99230e67d01d03983e873d026fa0917d7a50819dd1abc9a |
memory/1676-291-0x000000013FDA0000-0x0000000140341000-memory.dmp
memory/624-297-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/624-299-0x00000000027D0000-0x0000000002850000-memory.dmp
memory/624-303-0x00000000027D0000-0x0000000002850000-memory.dmp
memory/624-304-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2132-313-0x0000000001E40000-0x0000000001E48000-memory.dmp
memory/2132-318-0x00000000029A0000-0x0000000002A20000-memory.dmp
memory/2132-319-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp
memory/1676-322-0x000000013FDA0000-0x0000000140341000-memory.dmp