Malware Analysis Report

2025-03-15 05:04

Sample ID 231211-myxfyadhh9
Target 0x0006000000023234-4438.dat
SHA256 92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2
Tags
smokeloader glupteba redline 55000 @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2

Threat Level: Known bad

The file 0x0006000000023234-4438.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline 55000 @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader themida trojan

Smokeloader family

Glupteba payload

RedLine payload

RedLine

Glupteba

SmokeLoader

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Deletes itself

Themida packer

Executes dropped EXE

Modifies file permissions

Launches sc.exe

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 10:52

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 10:52

Reported

2023-12-11 10:55

Platform

win7-20231201-en

Max time kernel

128s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ADC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5513.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\Temp\5ADC.exe
PID 1192 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\Temp\5ADC.exe
PID 1192 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\Temp\5ADC.exe
PID 1192 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\Temp\5ADC.exe
PID 1192 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\5513.exe
PID 1192 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\5513.exe
PID 1192 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\5513.exe
PID 1192 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\5513.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

C:\Users\Admin\AppData\Local\Temp\5ADC.exe

C:\Users\Admin\AppData\Local\Temp\5ADC.exe

C:\Users\Admin\AppData\Local\Temp\5513.exe

C:\Users\Admin\AppData\Local\Temp\5513.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\5785.exe

C:\Users\Admin\AppData\Local\Temp\5785.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp" /SL5="$8011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211105430.log C:\Windows\Logs\CBS\CbsPersist_20231211105430.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B722.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B974.bat" "

C:\Users\Admin\AppData\Local\Temp\C299.exe

C:\Users\Admin\AppData\Local\Temp\C299.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\DC90.exe

C:\Users\Admin\AppData\Local\Temp\DC90.exe

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\taskeng.exe

taskeng.exe {B99B5745-8E20-42B0-B4F0-FE530C943FB5} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\F510.exe

C:\Users\Admin\AppData\Local\Temp\F510.exe

C:\Users\Admin\AppData\Local\Temp\F510.exe

C:\Users\Admin\AppData\Local\Temp\F510.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2d5797d2-22bf-4566-b0a4-bacc2488212b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 5cf90fa4-1438-408c-95e3-e16aa26210df.uuid.myfastupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
GB 96.17.178.180:80 tcp

Files

memory/2368-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1192-1-0x0000000002D50000-0x0000000002D66000-memory.dmp

memory/2368-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5ADC.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/836-12-0x0000000000130000-0x000000000016C000-memory.dmp

memory/836-17-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/836-18-0x00000000012F0000-0x0000000001330000-memory.dmp

memory/836-20-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/836-21-0x00000000012F0000-0x0000000001330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5513.exe

MD5 67b912afae53611669cdc78f6a97c022
SHA1 96e15adb27fcacec9c6879ce14dad101dfab1382
SHA256 04b62f6fb0169e4dff4bc192bb45427bc5fb509d455fdbba31d62a1e001ed316
SHA512 141847f2a174d57c2321fdef049787035ed67d807bfb51d268bb80f8746f25f80ffc6ef4246d4f48ec6bfe8daac2fc9a0dd1dc8d1711827739d968f90b618a3d

memory/2904-27-0x0000000074C10000-0x00000000752FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5513.exe

MD5 e4d5e4a5785029870a0b372a258f404d
SHA1 0d225dc2e7a0da9555d9a39802cdebcb203045ba
SHA256 89d796a659b2cbe1b16f39bc14da19b0f5ac8ba8ccf98a7a292785dc8d487d57
SHA512 8e5920591523f14eae0e19e61e2d15234a577f31e9970eb6b71e76011d35001abf147ad226844058130530f45ea615e608bd8fb3f1b608e1214addd355b429c2

memory/2904-28-0x0000000000C60000-0x0000000002116000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3a3a85bd479571468312c9758f96a013
SHA1 99c1ca16ec907fe179149116f70607cd6238261b
SHA256 ae1c6963e78feacb6205156986ee57e196bb6c3bab5a9bc2f0693a42fe796123
SHA512 e89ae6032cdc54a4f4d8b45a16a64b97f9e32ee68fcd072a8998c67140e2bb33d9e2e7ef832b474972112dfd5f544bfeb8c592fcf76eb8f4fa9660a8a2232d65

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e93388ddbf22707326229f3b9d11634d
SHA1 925166d178c5402be8b0932afa8057b3603a951d
SHA256 544554efa3947edf5d17ce323330067760a56ae7fbeaab956c9645a547f8bd43
SHA512 4d4c3de3dbd4c4f4d20e717b3edd2a540d72c495773462bf2a58c5b3d5dd162fae1b8c763c5c155ca167e3b9eee7504d74844793a1fe8fb7c4b3dedee18e3f87

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 edced3b81e88870a32b6b94c200efee9
SHA1 edd20629d182e495f886f45ce5488b2033000a35
SHA256 1d20ec0267749bd22d489c6c5a5199aabc8d37b3f45518491fe7e3ffaa6fcb1c
SHA512 5a9aab2fe760e6fc3e1aed104601dd52119b51768f181b95683f5f33c4b61d454840b7233fbed241ad12bea3c110ec98e2b5c6cab6a1dbab6bbc6f2d9c30285f

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a23f2ffa5ecb7f87fec6c1e1b8251ccf
SHA1 7461c358db137d672dbd73d85ba5c1a791c00e35
SHA256 022e1bcae154e1f93dcf371702986c4b55d1f50f2f56f6f46974aadacec55a76
SHA512 11fcd4ef527bdfcb7347fdc6c9fdf48ae2540a7f14dd064b08c9cdee32f32ad2705479e8806d307a4e0e94976c0d8edb742ec7ea5a7a18384ba05902091ab18e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c420b10da2d3d6c7e1521b08d9473fe6
SHA1 3ebc61d390a7529d3fe7bec93bf8b9d7328147e1
SHA256 890c48e5a3e87429110c07ec9d17d38dd3001bd2cd53e022b26103dd47b12d3c
SHA512 f8d650921fdb45bf9d8c8cc132f2df7cf6f29473474dddf1b869fec8f52bc80563ed88f8640403eb09b37b3cc41436603afdd2ba9267efe0cc290f029869dc82

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8f93d210f7dcd9c8c8c538392c7fe450
SHA1 e49c192f30d79b4ad1da45094836306dfa8f9a77
SHA256 eb6cf3ee4dc57bcc0ccfc6b67a9990581c0c45d3636c8f101d299bcd6492ca48
SHA512 0a20b00a0edef4d36164934bebaad392df108067294e51fc312165c4f560b932d42344543525b3bcc1e1b0b2aee5d89a9f377584ef2c878a63962c565d6d82f0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4a93bcc24fefbb3c4c5d3497ce4fc1fe
SHA1 e3393759ba76b75c4ff46ac18581c14e10c5d397
SHA256 816c6f8d78ea137aa7ce14ea773048696d8d8b8308f42c72d28aed9c5b9a9e92
SHA512 0bab412f0c970abb776be141a11af9ff3fe0a73f960925c551eafc4a9d1ff5ec48fc88adb1b97d5a75c9b34e62cb962d69d128e7b45251a2de66a3133d37ef4a

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ede0406000b149898d57261c4737cb16
SHA1 0aa7b65a0a83fedeeb6f6545af9f221d12117618
SHA256 045b900a21b3e2aebebc6944daaea9c9a8c1a92ba4f0c633f1ae02cd907d3d50
SHA512 bf56f6dac763970ca57448ab4dba49283d5437eac0c6eec98bb6a481324126548c47a103f7e18de96e7701966eded60821207d3abff56c11767cd9c74b80e96d

C:\Users\Admin\AppData\Local\Temp\5785.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0a2edc6e13673c033b86a8b5d7146256
SHA1 5fbf1c25205df6e6a18c2a9e4a2220338f319238
SHA256 cb8d75dc98b1dfd8c1c32565dac75e914fcd9b5f425b9ef49aab41a599af6b4a
SHA512 8ef6926ede4f5e63671514941546da5821c4e7fad08e6e8d5fc447779975091ad7269225c158d2954906bfb1cd49822209d53e228872b53d69637e36bd5f61db

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 3344aa079a27073f82e5bf9d23baea78
SHA1 83340ac99c3e56944fcb4bc715a3105304ba841c
SHA256 6230ad3df34f7e3bf9962c0bd1a5f46e6f4326cb731916398930bb9015ffc801
SHA512 5391f7b68aaf0012078eafe873df6668af7ae86603f0b557a2dc7d33cf6e925dd8fa2b833638b96888254d96859db93cf7195095ab158313ead091ca9ddb2bbd

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 ba5cc4fc3fdfb192c39faadaf858282f
SHA1 8c372bf6bfd1c8b3f46d63e96b5d6148e1e98f50
SHA256 25b5c6bfb6ecef2b2a6dbaf2a8b083222f237fe1afb11230706f31760c62f668
SHA512 bda115fa326802dbc9ea9f716255f421b8a7211e9c1ee8c13f1dee8a300ef6fb9107b51d3d2919c4f572784c2844c546ef9a2a6ec8eed98b09146c86a5d3157d

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 20d1d6d1da7a1c914148261877876c8b
SHA1 84ae3d64f5d6f9e7917f6432d22a81118d2c969f
SHA256 8c5f19b27529235b0209d5d18b5d2f2752af964f953b157d582519421778c8ae
SHA512 5ebbb070fdb3968649f2d1423af45c2207f32b8c4f0659e12f9dcde6e62788eeddb340ded3cf56cc5f6318b101b2a2630c9090c1287cd0419120565772830c23

memory/1572-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1740-68-0x0000000000E40000-0x0000000000E7C000-memory.dmp

memory/1740-79-0x00000000042C0000-0x0000000004300000-memory.dmp

memory/1740-65-0x0000000074C10000-0x00000000752FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp

MD5 8eb5b996fd5613fe21d85fd8c3dbd768
SHA1 66381eeff9ff14e15de9ec5437655527ef8b600c
SHA256 7fb2a97fc3cc62131087705588b85b03204e2414f83fa76c113369a127ec4f24
SHA512 edecf210c97ed24905bd4bccf5359e619e2bbce4d503f8401a78d8ab61e4f05ee0de62cbdd11472aae4aea8b9efccd79943115c6034bb1922b29fc28dd5e1a66

memory/2316-84-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e835586a6250d9e608e804783b63ed43
SHA1 3c004201790995dfae53e0fc1f9fefb79237ac40
SHA256 63e4b54abc5898c5af45b90532c4929d5963f685449f310b68bf3ba78291850f
SHA512 f5a6e15f25481a063e40a093f6eaea0ee40813e0ddc2b247ec4e9d95e00598ade915ab3179252b036edf79c4aec3096866858acca27a4c80b6641dadeaab781c

memory/2904-114-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2272-113-0x0000000002640000-0x0000000002A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 cb7232cc89127bca287c7e9d7ff42f62
SHA1 683a8d0ac3740e0c8f6244a762886ae0122690b5
SHA256 592db4baf0e259701f44de07479f5dc8e7e1eb52c79f60f2536dc2880236078f
SHA512 e7d7544f8ffdd7ae457642a2af36f39c8e788031dcffae0545676f730497a83863b55f70091e609661a105ac0a65579564af7333b6741ba6bc6f9d9b8579efca

memory/2440-99-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-cvfe6.tmp\tuc3.tmp

MD5 0130489c5bcce315a0a9db8e307195a2
SHA1 bdda842d99d9b85aac2411a86c1660ed4f289e76
SHA256 cc7838bfb194f129c2a2fc602573b7ed5b47e14c7c744bac600a752ea779658b
SHA512 c5ce36441c082344e93d982c367c2aed226f10f5b1fb2fb0016698532bbcbae08f4685ad8ab4f69feeb217b3d603bafc934a2b2f852e28347e4b0cee6942d5b5

C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp

MD5 80a5a55a4e81fda45b3eb0cdcf3bc195
SHA1 253fc29c52b9c0e205da47e5635aa6c7aa688d76
SHA256 15b8ce54511d9bf4e359027457883c3795048e58c74cb4ddf3dc6c09be552c2e
SHA512 6b136818834db259d634a308d9491166a84cac93ccc0b3074ca9147c00df2e94fe0061023a671d04b21fbad1d7a3e28ea07df6a47b7db1df97b9fe265bc9959d

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b528c38312d82b8d3a39f31d3ed4ab99
SHA1 dfb22f880ee1a70361aa760f08b0a1c32dce6f69
SHA256 0731972034b4a7ed314e9deae113abad40dbee18979a5b072a791f8e40c1beaa
SHA512 04989302eb53371f642300e0346cc3896115233aa931e0b2e363cfa37a72528811003d40642b2bf13f0cc53db9e70b253075af63a7838b320ca076b5dc66bad8

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4422adebba12493cc9c7af89d29d06c5
SHA1 0173169ed941186d9820d528297148edfeee594f
SHA256 0e06b6c876419b1d545d88395788131cc66fccf49275700f4f7cc389be2cd61f
SHA512 9c51677162d5ec0f3bf3a48ba6970dfa3a3f6ae8476c602a10d4446f0c3f400b8a96ca4da4f310d31c9c88e52c845208cfac4eb81be40a94eb9978e38a0be921

memory/2272-116-0x0000000002A40000-0x000000000332B000-memory.dmp

memory/2272-115-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/2272-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f47354f5f5b41a08668690480f143c82
SHA1 09d10d77cb09a624cf795952b7a5959299a5d0e8
SHA256 e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d
SHA512 b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590

memory/2212-120-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/2520-128-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 18e3b8d8d0f5442c95c17b4762d5addc
SHA1 8181c7f39989308bb8c9c49c85ba73d3ee6ab32b
SHA256 bd503b1bd8bb268088f90a7c0b99b294b5764389bf9a86df65c7c0dfe3c408b2
SHA512 7267c450a0d4237f3e703254ea56ad70f834a2e5b5eb234bee672b79901d5692016576b3c8c1ad0411c9e5bcac05cad2aab239f1085c12d541b112f1feb866e2

memory/2520-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2520-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 ede3af7074d8b4d48ae3aabb2652200d
SHA1 d2bfc3aa261d8d57efcd76290ebe1ead60dc9d17
SHA256 160925124d42ceee6860ecbac8b528be47c5bf1dbec0c478d4c859386d44750a
SHA512 4e4dafca4fc873d69a126c73a011e5561fe7e9d338bb9fcd9ee4059b5c6070622e7782a71361d689b4581e8e401f28297d094a59edf6b153501b478d17691db4

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b1f5896e60f94e9e14bed0ec110fb2a5
SHA1 879d68827d6fc17a4c1813a70c3f5902c5959103
SHA256 b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c
SHA512 dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 260327e92d5735a14020069f33c643b1
SHA1 829021a86a33f41bd0dd0a30580d7e0e6c01ade9
SHA256 e835f601d8695cd30373cdd20f5d7d22340703aa55267b381d000bfcfaf3b4bb
SHA512 236297fc93e69e4dc67e8efa5017962e6373ece76b0a77f95425fb8df9aa3e6a0ff5a25f43e3e100ea44ea832388fec99242ea303708b3da83281baa75cdc1b7

memory/2212-121-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2272-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-132-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/2272-131-0x0000000002A40000-0x000000000332B000-memory.dmp

memory/852-133-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/852-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1740-134-0x0000000074C10000-0x00000000752FE000-memory.dmp

\Windows\rss\csrss.exe

MD5 5ef33f6413d70cee530b4141f2385a02
SHA1 9ef85141dc35bbedee2a2069c0c823569f3e9e1b
SHA256 acbde1b6fff56557eb29ee06605635178102efb9435924b89bc67afe70c91385
SHA512 14d2e97b4ced89b19773108f71aa6368b217b5ae223a32b634ae417bc9622878f6d2291e0b39d4ec2d7d3e4e14068f6b899e049b5aaaa19916dfe9d0a0af73cd

C:\Windows\rss\csrss.exe

MD5 efee9e7c62cb2846cd23c78b83cc1339
SHA1 a3586ac227c00c3bc44afad34d17473303776edb
SHA256 a01217e39d49b6fb2948d6f8d351d7cb5052d778799c7b451f5752f10de02b52
SHA512 e7396bbb37257f7d0edc454fac293ae09c4ea1a7301837d1a240570760b88837e967646b9271b3f8c924768b1683d71b1e5e59ad4dd4097507b8c7a4f4ee7b4c

\Windows\rss\csrss.exe

MD5 a579d798b8bec5d1d055d41deb546476
SHA1 34feec6fca4662d29e0bfb646051439f9ae9df32
SHA256 f90ef4bd81f192a6859ffb39e967290ae4fcaf7c02ed2d6280505ed33dc3b817
SHA512 14752ad3462527f0f7c4ca82fe29033bc7004496b6cea48df6e6b38fe65a69e872dfc5ab6f199113c31dd9711ed1ff92e0775d38d142eb755a3a2e9e8bad0ff3

memory/852-144-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-145-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/2116-146-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/2116-147-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/1572-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1740-150-0x00000000042C0000-0x0000000004300000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6f1dfaf46cc290b5c1bc726d09ec3617
SHA1 729cbff3716de6be58d1d83724b23e88fff6f38b
SHA256 32b788ce0b68cd43d71b018be9ddfe0ac71e32a7bd095faf231010cfd2c0ad39
SHA512 a5130aa6f5afc6e6dc888a44624a951faa9ba5ef182ab502d0101bf0bee1bd7b95b828a6bc3b222716a2013389dbcf211f6175d15f312bb7efbf5f8dc82583c4

memory/2116-149-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-157-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1192-156-0x0000000002F40000-0x0000000002F56000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 02570a15ff7f380fbed4f2a751226686
SHA1 a6b77a2c68684e7f79bc6be4cae1d088fdd143b2
SHA256 8c2c1d320a2ca5c1c25a2e56c8c5ce3c5878c4ec65b8ea01001d9c1718d9245c
SHA512 b383c2bef06deb93c3119a943267c0e088b72f0fb1db4730d701b05adf7513adbd8e59f4a01e862c9f962dc9ffb65cc06ed07881347038d13543326e2318adb9

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2440-188-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2768-189-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 28a80c4067f12abbc2d350eb8ec6187a
SHA1 57d08d8abdbe3cb9a0ebe70d5550c25bcc06859b
SHA256 09fc827e13fb5b115ab0c38282a8335830f37de47ae854e90fefebd322395084
SHA512 4639e82293829db5786cdbc6bbd52bd296c50c20effeab11b355d6f4c03abc3a25f7610fbaa49399b33703609649de9acb6a76b4e9acec4a27ada8504e9e5d05

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 fd54a7a5fa743b321982de12fae9539f
SHA1 0472815a492a9dd9fc653bf56566a186f421448a
SHA256 562f5d7b13333d0908b11f0f249a5ef11ded08a67c1b735ab1ae2ff8cc08408f
SHA512 d6c353ee13a94951ca6dec46adb45e15006133b4bf0eed4c293e642a8acfdecfeb051bdebf4f2e88a3e95c2345f22cb52016724305203b574dc84533f63ec486

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 22476f80cc0ca6060d8ba755344ccb75
SHA1 b8bca838e4659857685f0164ceefb7baf13e4666
SHA256 865281a84b83077a21981be197ebbe78eddd90215f185432f9ffef5e0c943950
SHA512 b6a9eb658be559b56c97fa24ffd03f0ddd9cbc20a8f4333685d1d7a2df252bb2ffbd05a16ff003e6574ec4a4688f30755ddef16ee412fe227c02cd206c45b327

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 5cafcc689aeddaeb18fd432f882c1bdf
SHA1 f5dc1c0a8b2e6ab2ad72a43c6e72a807e515d641
SHA256 98bd457d7b39f6eb7a46510a99af6b937b32896d99177dd018b3d213b9f3a2b9
SHA512 49372c027b2e76d1b7d98f6576dfcad62b62a3842dc633ea33a698e29f09fb70fdf73962aa39e3224a1e1cab353bff3a20c8adf6b294bb60646c424627d370bb

memory/2768-180-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2316-175-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 e32681f0f74198658b6149594aa9a744
SHA1 1bf3fad0061abf349c7301fe4bff6bf7e74554a9
SHA256 3c5bd8b9f881a8b32cddc396c5b7a643297df385c079210937776d34f8761872
SHA512 74d92e2cb638bd42349ede4b4b092902a0ccdae04b5e1a5ddeabf8bad604b8a6f091570f9598e4109f33ad903f16d59d34e180e955d3241b7a778019ed9b5d61

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 4b60fd0e3760b265a04d1c9b7d335150
SHA1 e34ddd688de01bd7dba138ed34fb4f4c3e6a209a
SHA256 71117c12a1466fd37b5470c3e05eba543786ab3c106574dd7b20dc0078b73b2f
SHA512 5b9df050dca89be8e17651d35b3c17ee437bebbbfa2b3a421f4b96ea7358ce86bbc1f5178f7ffd90de3d23e42dab8c86bfed8f2beb7b970989c5b62bcb6f0fb4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 40f6f36904b20e5b79c5ecc08f3ef681
SHA1 3eab03b80edc0a07ff85f257ad8fd006c9c5f59d
SHA256 c6fea234cb0fec352a137ec054563601c154b75e87c9b7edac853ca422addbce
SHA512 cdedf3120bbbc2f8e6f58d7229f0f2f7d10315406e832157e88114ea505f833bf393f1ca8db381f562472c062cbb16d82bcf48315286afa9b37f30f136e5f82c

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 a6060418735db741158abf7ae5b4ae3b
SHA1 c1a8851f512f734548cfcbad70537334a2eab372
SHA256 1a1c887356c36d4d2611eb4a357cbd134eb4cccd4032fe4656ddd56916b5f82f
SHA512 42ac5f2775b8a6282fc9b26cd0afa31ae7219aaf6029bedc0fb6886e1f7eb9fb4ce92e7405433edeebbc69fa47cac31c92303f5f7b6ce5cb368f4aed1670aba3

C:\Users\Admin\AppData\Local\Temp\Cab823C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar82EB.tmp

MD5 720fbe46b99c78a508b13daab1ab97e6
SHA1 beb191d3d3d7a016f78b76d84ad16fbe47a830e7
SHA256 cbd2618ab9f1a89f85c58fcff1ed7d28a38896973048523fc2775526b533f7b8
SHA512 1bdfedc74cea1a68a4a2d2656256721cb94fa5b9263e5b892182160387c3877318db7b1cb89520e45d85ff7db447439adafe7c573d7ec26162d9d230bc433d16

memory/2316-244-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1488-246-0x000000013F310000-0x000000013F8B1000-memory.dmp

memory/2440-245-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1740-250-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2116-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2116-256-0x00000000027C0000-0x0000000002BB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B722.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\C299.exe

MD5 ce6c42dc75c23edeca7d383c6aa59a20
SHA1 9ddfcf362af0a82b2c8b8e8bd0ebdea0e7bf4c8d
SHA256 5a2a98ffe754fae3fa624f7824d6ff11f8543a7542fda0c0f9b39ba93af2a67b
SHA512 9d2001233595058b8bf4ba13e09e5153b14bdf4ba80e9959132d43f4b7f5a4a620e0bce27b2569c8f8706b65fd6a3656acc259bb27e0677f69681c759626ad24

memory/2116-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2116-283-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1948-284-0x00000000013D0000-0x0000000001E9A000-memory.dmp

memory/1948-286-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-285-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-289-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-291-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-294-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-296-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-300-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-305-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-311-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-313-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/1948-312-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

memory/1948-310-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-309-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-308-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-307-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-306-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-304-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-303-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-302-0x00000000767D0000-0x0000000076817000-memory.dmp

memory/1948-301-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-299-0x00000000767D0000-0x0000000076817000-memory.dmp

memory/1948-298-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-297-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-295-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1948-293-0x00000000013D0000-0x0000000001E9A000-memory.dmp

memory/1948-292-0x0000000077690000-0x00000000777A0000-memory.dmp

memory/1488-322-0x000000013F310000-0x000000013F8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC90.exe

MD5 c1676faf8e98cfe50e5d389b3a708782
SHA1 dff20c566b7c11794192355071aa39dc380ff9ad
SHA256 f4b9582ba9267fbe696cc009978cca85d49daff844ffeaa8ff29998865ac39c2
SHA512 9d176f0842dc084553039e1b4426ee69d5a41aad5685a7d63e79e77d5b94157956223a31998141a5d5d57e1933aa729dff871d987fd7331c87669b7b035707bb

C:\Users\Admin\AppData\Local\Temp\DC90.exe

MD5 ce621617765b2f4c62588fd63d601da7
SHA1 fa5878b70bca938b688800e08a5a0adbeb006bc6
SHA256 3aaebb0814dfb6a980bcc4cb89324d7adc6715b29d9287ea2cdf9311dec78228
SHA512 e97094e68ba3e3ef1742aa86a7479840b8e3e803aff3b335ebd551878d8ae5d451c2ac39b5acf63ee9d96e25099473d8bd898a5cb01d1aa531d03a929495adda

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 491ffa2c209261da15c9a7d3c3fda958
SHA1 94cd9203e5c6ce69047048881bae7f827d81a61d
SHA256 b5a1a7c5eb79269b66ff715bc952ada097872a06b96b2eed063e7a237c918f5f
SHA512 a9b1e2aa4eb71c22733e34c625067f74f0f43c336c5e451bb3535b311c1d778c78a148177cef79d9f743a93eff84399fd4612c24934281edc3ceea7ba72eba27

memory/1488-353-0x000000013F310000-0x000000013F8B1000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 6f9f6f1689b05710edb8e8fa93ef30a8
SHA1 f956ca3962550ccecc5b918e24b853e1e75c5c7e
SHA256 fd72036fe403d95e135586e7ddddc48e25c7f47fbcd4e072a518fe0523caca82
SHA512 11324ae9d97e439329b186bd536045b604f4782ffc0a0856a980cd476a3dfc4579aca335705f80e978ee272f4f9e9f1294a8758f5aff4606b5bc22a7e5958c25

C:\Program Files\Google\Chrome\updater.exe

MD5 68f6c3c4b30a39ea223ccee648545cbf
SHA1 adc0971a8451882fe9976e464c9d752ecd819ae4
SHA256 7b6d1ccb685e1778066e6764213b810d5a397e48023b144fd65cdb434fdbe401
SHA512 227de074d7d88bd5b1cb43da520838ca21b289018a42f20eb4becc36c4439e53aeb81f4b237ea0cd914f046f68b7357dece4146440ae76fffeeef19837636d2b

\Program Files\Google\Chrome\updater.exe

MD5 65787d42a30668ce2e158610db96efb9
SHA1 752f0036fd96e123197e4fc2dceb737c95bee06e
SHA256 09f05c3c4ffdd0e518ccfe71c391a58377d0d6b9734fb3c1126e47fd678c7662
SHA512 9383327e4a64ba1aefdd3f2f91ab490623c310a884df3bfe79ec3939bc71070b59fa39fd1ca246ae1c26dd35000c1523679357632423d209a796927d41a08b22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A9TRWWL7KKRBQA9RWSYA.temp

MD5 d0201f21354f15279802b345515514e2
SHA1 d5c3add6d7bfb8095ecf771c039f0f071bac07ce
SHA256 8669f500dc20b5cab93732438e39581a964f975bc430c9ae4ef34133ab4bdbd8
SHA512 c18a22c1280c8bbbd502db4f9b27a0a7b5a66a12681970f21b3493e8ac4b373c4e53b6fd40aaa009fb1f4febdaca15707c54968cf41742014fca17e76ac0d3c8

C:\Users\Admin\AppData\Local\Temp\F510.exe

MD5 f891d1f27c90b11dbe000ea865af1a96
SHA1 7e85383d6bce480cbf42a94db5c3ca4520f163f4
SHA256 cbadb551a3c5749db2658748ee1ba7bee96c2c72c26de552d48c56b7ec92e3db
SHA512 749df973669a7330d2355b1c94b7406095fc85c38de9e0b0eadc564028f778de9903c835e5dd59fb4dd50bf9eb6fd871c564e71123ada13b26f17aa217130161

C:\Users\Admin\AppData\Local\Temp\F510.exe

MD5 9dc1703963821bd2de64e262d060bc99
SHA1 322aa8caceaa1d80f50a0083b9cbdf83179c1c70
SHA256 ed5e647b1e7a2a7452562bc54ef4087b7d017e1df9e774bcc3a4dc230f272fda
SHA512 49822b981f8ccbb50131bf08b292696186538e301b9935c23a7e9f67ab3731a7c3bced2d4e091779fd16df6314c1b3ee96451e79a573f5e323b2265b715f192d

memory/2680-366-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F510.exe

MD5 0b779324a093804b10035423a8fa86d9
SHA1 8541648999834e2d92670207bb32ea2a903e7162
SHA256 554a3cdd01fea1a0cc97da84f4a91db0354285dace8c86ea9fca985f5eb3c348
SHA512 d98ad5a07a91e5f802a57c7159734e67b3cc428f0680f67f175b1ce94b82badff2b3cdddae78fcbb8d65aae7e566d35d8ced64b362a1ff3c51814cbd9d591127

memory/2680-368-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F510.exe

MD5 30e9586b7f067b74f5266541e068bb49
SHA1 b4e2950973de4ef606dd960bd9a1785a958b03cc
SHA256 1829616c35d8b3294b4b5c9dea8912f983e8ada7e31dde3cba04737950addadd
SHA512 805f55959053260a568dfffad26c7ba09154b048677e7a5304f6fac1b30cc091cbf251f5f9c0f0761d2cadfe218e47d43fc4e1cb85f1f09e3baad4db82fc7e32

memory/2680-372-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\F510.exe

MD5 f4cd50607d1fbd1da99ffc90a4f77db7
SHA1 7d6b1b2ea7ec0676af5645ee1dc2041ec0938837
SHA256 22f14c3dfb26b0534e1cc25592da3e277a287bdeafcb1a8f10c129888693dbc4
SHA512 2db5530a60145ab97b31f0454fa715b7bc86db34286c8329b920c67e57eddbe6d477cf651167caaa74f9e44f4e96839793839fc0bf0234dd679f40076a9acc98

memory/1272-363-0x00000000008D0000-0x0000000000961000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca3ffc0173823448bb0a80b7c2ec4e47
SHA1 4824fd698d7c4bd702a89f848b1a1d7fa5caf7d1
SHA256 149fe4502903be606f08c3a303ae425bbf9abe174bcaebb78dd33b7cf3e0ee23
SHA512 4fe14f63bbfa0616dfab85e31080f216046c1bb12cd863ae783c84ecfff10f225054223ee8b2351e653c3dfd781890def4c334c5326608854fc6ba3527442157

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 10:52

Reported

2023-12-11 10:55

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe
PID 3224 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe
PID 3224 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

C:\Users\Admin\AppData\Local\Temp\4F63.exe

C:\Users\Admin\AppData\Local\Temp\4F63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
NL 8.238.23.119:80 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
NL 8.238.23.119:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp

Files

memory/4800-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3224-1-0x0000000000930000-0x0000000000946000-memory.dmp

memory/4800-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F63.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/4136-12-0x00000000023F0000-0x000000000242C000-memory.dmp

memory/4136-17-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4136-18-0x00000000078D0000-0x0000000007E74000-memory.dmp

memory/4136-19-0x0000000007400000-0x0000000007492000-memory.dmp

memory/4136-20-0x00000000075F0000-0x0000000007600000-memory.dmp

memory/4136-21-0x00000000075A0000-0x00000000075AA000-memory.dmp

memory/4136-23-0x00000000088F0000-0x0000000008F08000-memory.dmp

memory/4136-24-0x000000000A280000-0x000000000A38A000-memory.dmp

memory/4136-25-0x000000000A170000-0x000000000A182000-memory.dmp

memory/4136-26-0x000000000A1D0000-0x000000000A20C000-memory.dmp

memory/4136-27-0x000000000A210000-0x000000000A25C000-memory.dmp

memory/4136-28-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4136-29-0x00000000075F0000-0x0000000007600000-memory.dmp