Analysis Overview
SHA256
92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2
Threat Level: Known bad
The file 0x0006000000023234-4438.dat was found to be: Known bad.
Malicious Activity Summary
Smokeloader family
Glupteba payload
RedLine payload
RedLine
Glupteba
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Deletes itself
Themida packer
Executes dropped EXE
Modifies file permissions
Launches sc.exe
Unsigned PE
Uses Task Scheduler COM API
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 10:52
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 10:52
Reported
2023-12-11 10:55
Platform
win7-20231201-en
Max time kernel
128s
Max time network
102s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ADC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5513.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 836 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ADC.exe |
| PID 1192 wrote to memory of 836 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ADC.exe |
| PID 1192 wrote to memory of 836 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ADC.exe |
| PID 1192 wrote to memory of 836 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ADC.exe |
| PID 1192 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5513.exe |
| PID 1192 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5513.exe |
| PID 1192 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5513.exe |
| PID 1192 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5513.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"
C:\Users\Admin\AppData\Local\Temp\5ADC.exe
C:\Users\Admin\AppData\Local\Temp\5ADC.exe
C:\Users\Admin\AppData\Local\Temp\5513.exe
C:\Users\Admin\AppData\Local\Temp\5513.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\5785.exe
C:\Users\Admin\AppData\Local\Temp\5785.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp" /SL5="$8011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211105430.log C:\Windows\Logs\CBS\CbsPersist_20231211105430.cab
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B722.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B974.bat" "
C:\Users\Admin\AppData\Local\Temp\C299.exe
C:\Users\Admin\AppData\Local\Temp\C299.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\DC90.exe
C:\Users\Admin\AppData\Local\Temp\DC90.exe
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\taskeng.exe
taskeng.exe {B99B5745-8E20-42B0-B4F0-FE530C943FB5} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\F510.exe
C:\Users\Admin\AppData\Local\Temp\F510.exe
C:\Users\Admin\AppData\Local\Temp\F510.exe
C:\Users\Admin\AppData\Local\Temp\F510.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2d5797d2-22bf-4566-b0a4-bacc2488212b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 5cf90fa4-1438-408c-95e3-e16aa26210df.uuid.myfastupdate.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| GB | 96.17.178.180:80 | tcp |
Files
memory/2368-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1192-1-0x0000000002D50000-0x0000000002D66000-memory.dmp
memory/2368-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5ADC.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/836-12-0x0000000000130000-0x000000000016C000-memory.dmp
memory/836-17-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/836-18-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/836-20-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/836-21-0x00000000012F0000-0x0000000001330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5513.exe
| MD5 | 67b912afae53611669cdc78f6a97c022 |
| SHA1 | 96e15adb27fcacec9c6879ce14dad101dfab1382 |
| SHA256 | 04b62f6fb0169e4dff4bc192bb45427bc5fb509d455fdbba31d62a1e001ed316 |
| SHA512 | 141847f2a174d57c2321fdef049787035ed67d807bfb51d268bb80f8746f25f80ffc6ef4246d4f48ec6bfe8daac2fc9a0dd1dc8d1711827739d968f90b618a3d |
memory/2904-27-0x0000000074C10000-0x00000000752FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5513.exe
| MD5 | e4d5e4a5785029870a0b372a258f404d |
| SHA1 | 0d225dc2e7a0da9555d9a39802cdebcb203045ba |
| SHA256 | 89d796a659b2cbe1b16f39bc14da19b0f5ac8ba8ccf98a7a292785dc8d487d57 |
| SHA512 | 8e5920591523f14eae0e19e61e2d15234a577f31e9970eb6b71e76011d35001abf147ad226844058130530f45ea615e608bd8fb3f1b608e1214addd355b429c2 |
memory/2904-28-0x0000000000C60000-0x0000000002116000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 3a3a85bd479571468312c9758f96a013 |
| SHA1 | 99c1ca16ec907fe179149116f70607cd6238261b |
| SHA256 | ae1c6963e78feacb6205156986ee57e196bb6c3bab5a9bc2f0693a42fe796123 |
| SHA512 | e89ae6032cdc54a4f4d8b45a16a64b97f9e32ee68fcd072a8998c67140e2bb33d9e2e7ef832b474972112dfd5f544bfeb8c592fcf76eb8f4fa9660a8a2232d65 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e93388ddbf22707326229f3b9d11634d |
| SHA1 | 925166d178c5402be8b0932afa8057b3603a951d |
| SHA256 | 544554efa3947edf5d17ce323330067760a56ae7fbeaab956c9645a547f8bd43 |
| SHA512 | 4d4c3de3dbd4c4f4d20e717b3edd2a540d72c495773462bf2a58c5b3d5dd162fae1b8c763c5c155ca167e3b9eee7504d74844793a1fe8fb7c4b3dedee18e3f87 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | edced3b81e88870a32b6b94c200efee9 |
| SHA1 | edd20629d182e495f886f45ce5488b2033000a35 |
| SHA256 | 1d20ec0267749bd22d489c6c5a5199aabc8d37b3f45518491fe7e3ffaa6fcb1c |
| SHA512 | 5a9aab2fe760e6fc3e1aed104601dd52119b51768f181b95683f5f33c4b61d454840b7233fbed241ad12bea3c110ec98e2b5c6cab6a1dbab6bbc6f2d9c30285f |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | a23f2ffa5ecb7f87fec6c1e1b8251ccf |
| SHA1 | 7461c358db137d672dbd73d85ba5c1a791c00e35 |
| SHA256 | 022e1bcae154e1f93dcf371702986c4b55d1f50f2f56f6f46974aadacec55a76 |
| SHA512 | 11fcd4ef527bdfcb7347fdc6c9fdf48ae2540a7f14dd064b08c9cdee32f32ad2705479e8806d307a4e0e94976c0d8edb742ec7ea5a7a18384ba05902091ab18e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c420b10da2d3d6c7e1521b08d9473fe6 |
| SHA1 | 3ebc61d390a7529d3fe7bec93bf8b9d7328147e1 |
| SHA256 | 890c48e5a3e87429110c07ec9d17d38dd3001bd2cd53e022b26103dd47b12d3c |
| SHA512 | f8d650921fdb45bf9d8c8cc132f2df7cf6f29473474dddf1b869fec8f52bc80563ed88f8640403eb09b37b3cc41436603afdd2ba9267efe0cc290f029869dc82 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8f93d210f7dcd9c8c8c538392c7fe450 |
| SHA1 | e49c192f30d79b4ad1da45094836306dfa8f9a77 |
| SHA256 | eb6cf3ee4dc57bcc0ccfc6b67a9990581c0c45d3636c8f101d299bcd6492ca48 |
| SHA512 | 0a20b00a0edef4d36164934bebaad392df108067294e51fc312165c4f560b932d42344543525b3bcc1e1b0b2aee5d89a9f377584ef2c878a63962c565d6d82f0 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4a93bcc24fefbb3c4c5d3497ce4fc1fe |
| SHA1 | e3393759ba76b75c4ff46ac18581c14e10c5d397 |
| SHA256 | 816c6f8d78ea137aa7ce14ea773048696d8d8b8308f42c72d28aed9c5b9a9e92 |
| SHA512 | 0bab412f0c970abb776be141a11af9ff3fe0a73f960925c551eafc4a9d1ff5ec48fc88adb1b97d5a75c9b34e62cb962d69d128e7b45251a2de66a3133d37ef4a |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ede0406000b149898d57261c4737cb16 |
| SHA1 | 0aa7b65a0a83fedeeb6f6545af9f221d12117618 |
| SHA256 | 045b900a21b3e2aebebc6944daaea9c9a8c1a92ba4f0c633f1ae02cd907d3d50 |
| SHA512 | bf56f6dac763970ca57448ab4dba49283d5437eac0c6eec98bb6a481324126548c47a103f7e18de96e7701966eded60821207d3abff56c11767cd9c74b80e96d |
C:\Users\Admin\AppData\Local\Temp\5785.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 0a2edc6e13673c033b86a8b5d7146256 |
| SHA1 | 5fbf1c25205df6e6a18c2a9e4a2220338f319238 |
| SHA256 | cb8d75dc98b1dfd8c1c32565dac75e914fcd9b5f425b9ef49aab41a599af6b4a |
| SHA512 | 8ef6926ede4f5e63671514941546da5821c4e7fad08e6e8d5fc447779975091ad7269225c158d2954906bfb1cd49822209d53e228872b53d69637e36bd5f61db |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 3344aa079a27073f82e5bf9d23baea78 |
| SHA1 | 83340ac99c3e56944fcb4bc715a3105304ba841c |
| SHA256 | 6230ad3df34f7e3bf9962c0bd1a5f46e6f4326cb731916398930bb9015ffc801 |
| SHA512 | 5391f7b68aaf0012078eafe873df6668af7ae86603f0b557a2dc7d33cf6e925dd8fa2b833638b96888254d96859db93cf7195095ab158313ead091ca9ddb2bbd |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | ba5cc4fc3fdfb192c39faadaf858282f |
| SHA1 | 8c372bf6bfd1c8b3f46d63e96b5d6148e1e98f50 |
| SHA256 | 25b5c6bfb6ecef2b2a6dbaf2a8b083222f237fe1afb11230706f31760c62f668 |
| SHA512 | bda115fa326802dbc9ea9f716255f421b8a7211e9c1ee8c13f1dee8a300ef6fb9107b51d3d2919c4f572784c2844c546ef9a2a6ec8eed98b09146c86a5d3157d |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 20d1d6d1da7a1c914148261877876c8b |
| SHA1 | 84ae3d64f5d6f9e7917f6432d22a81118d2c969f |
| SHA256 | 8c5f19b27529235b0209d5d18b5d2f2752af964f953b157d582519421778c8ae |
| SHA512 | 5ebbb070fdb3968649f2d1423af45c2207f32b8c4f0659e12f9dcde6e62788eeddb340ded3cf56cc5f6318b101b2a2630c9090c1287cd0419120565772830c23 |
memory/1572-69-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1740-68-0x0000000000E40000-0x0000000000E7C000-memory.dmp
memory/1740-79-0x00000000042C0000-0x0000000004300000-memory.dmp
memory/1740-65-0x0000000074C10000-0x00000000752FE000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp
| MD5 | 8eb5b996fd5613fe21d85fd8c3dbd768 |
| SHA1 | 66381eeff9ff14e15de9ec5437655527ef8b600c |
| SHA256 | 7fb2a97fc3cc62131087705588b85b03204e2414f83fa76c113369a127ec4f24 |
| SHA512 | edecf210c97ed24905bd4bccf5359e619e2bbce4d503f8401a78d8ab61e4f05ee0de62cbdd11472aae4aea8b9efccd79943115c6034bb1922b29fc28dd5e1a66 |
memory/2316-84-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e835586a6250d9e608e804783b63ed43 |
| SHA1 | 3c004201790995dfae53e0fc1f9fefb79237ac40 |
| SHA256 | 63e4b54abc5898c5af45b90532c4929d5963f685449f310b68bf3ba78291850f |
| SHA512 | f5a6e15f25481a063e40a093f6eaea0ee40813e0ddc2b247ec4e9d95e00598ade915ab3179252b036edf79c4aec3096866858acca27a4c80b6641dadeaab781c |
memory/2904-114-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2272-113-0x0000000002640000-0x0000000002A38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | cb7232cc89127bca287c7e9d7ff42f62 |
| SHA1 | 683a8d0ac3740e0c8f6244a762886ae0122690b5 |
| SHA256 | 592db4baf0e259701f44de07479f5dc8e7e1eb52c79f60f2536dc2880236078f |
| SHA512 | e7d7544f8ffdd7ae457642a2af36f39c8e788031dcffae0545676f730497a83863b55f70091e609661a105ac0a65579564af7333b6741ba6bc6f9d9b8579efca |
memory/2440-99-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-320BQ.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\??\c:\users\admin\appdata\local\temp\is-cvfe6.tmp\tuc3.tmp
| MD5 | 0130489c5bcce315a0a9db8e307195a2 |
| SHA1 | bdda842d99d9b85aac2411a86c1660ed4f289e76 |
| SHA256 | cc7838bfb194f129c2a2fc602573b7ed5b47e14c7c744bac600a752ea779658b |
| SHA512 | c5ce36441c082344e93d982c367c2aed226f10f5b1fb2fb0016698532bbcbae08f4685ad8ab4f69feeb217b3d603bafc934a2b2f852e28347e4b0cee6942d5b5 |
C:\Users\Admin\AppData\Local\Temp\is-CVFE6.tmp\tuc3.tmp
| MD5 | 80a5a55a4e81fda45b3eb0cdcf3bc195 |
| SHA1 | 253fc29c52b9c0e205da47e5635aa6c7aa688d76 |
| SHA256 | 15b8ce54511d9bf4e359027457883c3795048e58c74cb4ddf3dc6c09be552c2e |
| SHA512 | 6b136818834db259d634a308d9491166a84cac93ccc0b3074ca9147c00df2e94fe0061023a671d04b21fbad1d7a3e28ea07df6a47b7db1df97b9fe265bc9959d |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | b528c38312d82b8d3a39f31d3ed4ab99 |
| SHA1 | dfb22f880ee1a70361aa760f08b0a1c32dce6f69 |
| SHA256 | 0731972034b4a7ed314e9deae113abad40dbee18979a5b072a791f8e40c1beaa |
| SHA512 | 04989302eb53371f642300e0346cc3896115233aa931e0b2e363cfa37a72528811003d40642b2bf13f0cc53db9e70b253075af63a7838b320ca076b5dc66bad8 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4422adebba12493cc9c7af89d29d06c5 |
| SHA1 | 0173169ed941186d9820d528297148edfeee594f |
| SHA256 | 0e06b6c876419b1d545d88395788131cc66fccf49275700f4f7cc389be2cd61f |
| SHA512 | 9c51677162d5ec0f3bf3a48ba6970dfa3a3f6ae8476c602a10d4446f0c3f400b8a96ca4da4f310d31c9c88e52c845208cfac4eb81be40a94eb9978e38a0be921 |
memory/2272-116-0x0000000002A40000-0x000000000332B000-memory.dmp
memory/2272-115-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/2272-117-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f47354f5f5b41a08668690480f143c82 |
| SHA1 | 09d10d77cb09a624cf795952b7a5959299a5d0e8 |
| SHA256 | e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d |
| SHA512 | b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590 |
memory/2212-120-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/2520-128-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 18e3b8d8d0f5442c95c17b4762d5addc |
| SHA1 | 8181c7f39989308bb8c9c49c85ba73d3ee6ab32b |
| SHA256 | bd503b1bd8bb268088f90a7c0b99b294b5764389bf9a86df65c7c0dfe3c408b2 |
| SHA512 | 7267c450a0d4237f3e703254ea56ad70f834a2e5b5eb234bee672b79901d5692016576b3c8c1ad0411c9e5bcac05cad2aab239f1085c12d541b112f1feb866e2 |
memory/2520-126-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2520-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | ede3af7074d8b4d48ae3aabb2652200d |
| SHA1 | d2bfc3aa261d8d57efcd76290ebe1ead60dc9d17 |
| SHA256 | 160925124d42ceee6860ecbac8b528be47c5bf1dbec0c478d4c859386d44750a |
| SHA512 | 4e4dafca4fc873d69a126c73a011e5561fe7e9d338bb9fcd9ee4059b5c6070622e7782a71361d689b4581e8e401f28297d094a59edf6b153501b478d17691db4 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b1f5896e60f94e9e14bed0ec110fb2a5 |
| SHA1 | 879d68827d6fc17a4c1813a70c3f5902c5959103 |
| SHA256 | b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c |
| SHA512 | dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 260327e92d5735a14020069f33c643b1 |
| SHA1 | 829021a86a33f41bd0dd0a30580d7e0e6c01ade9 |
| SHA256 | e835f601d8695cd30373cdd20f5d7d22340703aa55267b381d000bfcfaf3b4bb |
| SHA512 | 236297fc93e69e4dc67e8efa5017962e6373ece76b0a77f95425fb8df9aa3e6a0ff5a25f43e3e100ea44ea832388fec99242ea303708b3da83281baa75cdc1b7 |
memory/2212-121-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2272-130-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/852-132-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/2272-131-0x0000000002A40000-0x000000000332B000-memory.dmp
memory/852-133-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/852-135-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1740-134-0x0000000074C10000-0x00000000752FE000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 5ef33f6413d70cee530b4141f2385a02 |
| SHA1 | 9ef85141dc35bbedee2a2069c0c823569f3e9e1b |
| SHA256 | acbde1b6fff56557eb29ee06605635178102efb9435924b89bc67afe70c91385 |
| SHA512 | 14d2e97b4ced89b19773108f71aa6368b217b5ae223a32b634ae417bc9622878f6d2291e0b39d4ec2d7d3e4e14068f6b899e049b5aaaa19916dfe9d0a0af73cd |
C:\Windows\rss\csrss.exe
| MD5 | efee9e7c62cb2846cd23c78b83cc1339 |
| SHA1 | a3586ac227c00c3bc44afad34d17473303776edb |
| SHA256 | a01217e39d49b6fb2948d6f8d351d7cb5052d778799c7b451f5752f10de02b52 |
| SHA512 | e7396bbb37257f7d0edc454fac293ae09c4ea1a7301837d1a240570760b88837e967646b9271b3f8c924768b1683d71b1e5e59ad4dd4097507b8c7a4f4ee7b4c |
\Windows\rss\csrss.exe
| MD5 | a579d798b8bec5d1d055d41deb546476 |
| SHA1 | 34feec6fca4662d29e0bfb646051439f9ae9df32 |
| SHA256 | f90ef4bd81f192a6859ffb39e967290ae4fcaf7c02ed2d6280505ed33dc3b817 |
| SHA512 | 14752ad3462527f0f7c4ca82fe29033bc7004496b6cea48df6e6b38fe65a69e872dfc5ab6f199113c31dd9711ed1ff92e0775d38d142eb755a3a2e9e8bad0ff3 |
memory/852-144-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/852-145-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/2116-146-0x00000000027C0000-0x0000000002BB8000-memory.dmp
memory/2116-147-0x00000000027C0000-0x0000000002BB8000-memory.dmp
memory/1572-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1740-150-0x00000000042C0000-0x0000000004300000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 6f1dfaf46cc290b5c1bc726d09ec3617 |
| SHA1 | 729cbff3716de6be58d1d83724b23e88fff6f38b |
| SHA256 | 32b788ce0b68cd43d71b018be9ddfe0ac71e32a7bd095faf231010cfd2c0ad39 |
| SHA512 | a5130aa6f5afc6e6dc888a44624a951faa9ba5ef182ab502d0101bf0bee1bd7b95b828a6bc3b222716a2013389dbcf211f6175d15f312bb7efbf5f8dc82583c4 |
memory/2116-149-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2520-157-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1192-156-0x0000000002F40000-0x0000000002F56000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 02570a15ff7f380fbed4f2a751226686 |
| SHA1 | a6b77a2c68684e7f79bc6be4cae1d088fdd143b2 |
| SHA256 | 8c2c1d320a2ca5c1c25a2e56c8c5ce3c5878c4ec65b8ea01001d9c1718d9245c |
| SHA512 | b383c2bef06deb93c3119a943267c0e088b72f0fb1db4730d701b05adf7513adbd8e59f4a01e862c9f962dc9ffb65cc06ed07881347038d13543326e2318adb9 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2440-188-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2768-189-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 28a80c4067f12abbc2d350eb8ec6187a |
| SHA1 | 57d08d8abdbe3cb9a0ebe70d5550c25bcc06859b |
| SHA256 | 09fc827e13fb5b115ab0c38282a8335830f37de47ae854e90fefebd322395084 |
| SHA512 | 4639e82293829db5786cdbc6bbd52bd296c50c20effeab11b355d6f4c03abc3a25f7610fbaa49399b33703609649de9acb6a76b4e9acec4a27ada8504e9e5d05 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | fd54a7a5fa743b321982de12fae9539f |
| SHA1 | 0472815a492a9dd9fc653bf56566a186f421448a |
| SHA256 | 562f5d7b13333d0908b11f0f249a5ef11ded08a67c1b735ab1ae2ff8cc08408f |
| SHA512 | d6c353ee13a94951ca6dec46adb45e15006133b4bf0eed4c293e642a8acfdecfeb051bdebf4f2e88a3e95c2345f22cb52016724305203b574dc84533f63ec486 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 22476f80cc0ca6060d8ba755344ccb75 |
| SHA1 | b8bca838e4659857685f0164ceefb7baf13e4666 |
| SHA256 | 865281a84b83077a21981be197ebbe78eddd90215f185432f9ffef5e0c943950 |
| SHA512 | b6a9eb658be559b56c97fa24ffd03f0ddd9cbc20a8f4333685d1d7a2df252bb2ffbd05a16ff003e6574ec4a4688f30755ddef16ee412fe227c02cd206c45b327 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 5cafcc689aeddaeb18fd432f882c1bdf |
| SHA1 | f5dc1c0a8b2e6ab2ad72a43c6e72a807e515d641 |
| SHA256 | 98bd457d7b39f6eb7a46510a99af6b937b32896d99177dd018b3d213b9f3a2b9 |
| SHA512 | 49372c027b2e76d1b7d98f6576dfcad62b62a3842dc633ea33a698e29f09fb70fdf73962aa39e3224a1e1cab353bff3a20c8adf6b294bb60646c424627d370bb |
memory/2768-180-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2316-175-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | e32681f0f74198658b6149594aa9a744 |
| SHA1 | 1bf3fad0061abf349c7301fe4bff6bf7e74554a9 |
| SHA256 | 3c5bd8b9f881a8b32cddc396c5b7a643297df385c079210937776d34f8761872 |
| SHA512 | 74d92e2cb638bd42349ede4b4b092902a0ccdae04b5e1a5ddeabf8bad604b8a6f091570f9598e4109f33ad903f16d59d34e180e955d3241b7a778019ed9b5d61 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 4b60fd0e3760b265a04d1c9b7d335150 |
| SHA1 | e34ddd688de01bd7dba138ed34fb4f4c3e6a209a |
| SHA256 | 71117c12a1466fd37b5470c3e05eba543786ab3c106574dd7b20dc0078b73b2f |
| SHA512 | 5b9df050dca89be8e17651d35b3c17ee437bebbbfa2b3a421f4b96ea7358ce86bbc1f5178f7ffd90de3d23e42dab8c86bfed8f2beb7b970989c5b62bcb6f0fb4 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 40f6f36904b20e5b79c5ecc08f3ef681 |
| SHA1 | 3eab03b80edc0a07ff85f257ad8fd006c9c5f59d |
| SHA256 | c6fea234cb0fec352a137ec054563601c154b75e87c9b7edac853ca422addbce |
| SHA512 | cdedf3120bbbc2f8e6f58d7229f0f2f7d10315406e832157e88114ea505f833bf393f1ca8db381f562472c062cbb16d82bcf48315286afa9b37f30f136e5f82c |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | a6060418735db741158abf7ae5b4ae3b |
| SHA1 | c1a8851f512f734548cfcbad70537334a2eab372 |
| SHA256 | 1a1c887356c36d4d2611eb4a357cbd134eb4cccd4032fe4656ddd56916b5f82f |
| SHA512 | 42ac5f2775b8a6282fc9b26cd0afa31ae7219aaf6029bedc0fb6886e1f7eb9fb4ce92e7405433edeebbc69fa47cac31c92303f5f7b6ce5cb368f4aed1670aba3 |
C:\Users\Admin\AppData\Local\Temp\Cab823C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar82EB.tmp
| MD5 | 720fbe46b99c78a508b13daab1ab97e6 |
| SHA1 | beb191d3d3d7a016f78b76d84ad16fbe47a830e7 |
| SHA256 | cbd2618ab9f1a89f85c58fcff1ed7d28a38896973048523fc2775526b533f7b8 |
| SHA512 | 1bdfedc74cea1a68a4a2d2656256721cb94fa5b9263e5b892182160387c3877318db7b1cb89520e45d85ff7db447439adafe7c573d7ec26162d9d230bc433d16 |
memory/2316-244-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1488-246-0x000000013F310000-0x000000013F8B1000-memory.dmp
memory/2440-245-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1740-250-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2116-251-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2116-256-0x00000000027C0000-0x0000000002BB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B722.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\C299.exe
| MD5 | ce6c42dc75c23edeca7d383c6aa59a20 |
| SHA1 | 9ddfcf362af0a82b2c8b8e8bd0ebdea0e7bf4c8d |
| SHA256 | 5a2a98ffe754fae3fa624f7824d6ff11f8543a7542fda0c0f9b39ba93af2a67b |
| SHA512 | 9d2001233595058b8bf4ba13e09e5153b14bdf4ba80e9959132d43f4b7f5a4a620e0bce27b2569c8f8706b65fd6a3656acc259bb27e0677f69681c759626ad24 |
memory/2116-282-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2116-283-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1948-284-0x00000000013D0000-0x0000000001E9A000-memory.dmp
memory/1948-286-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-285-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-289-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-291-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-294-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-296-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-300-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-305-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-311-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-313-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/1948-312-0x0000000077BD0000-0x0000000077BD2000-memory.dmp
memory/1948-310-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-309-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-308-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-307-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-306-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-304-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-303-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-302-0x00000000767D0000-0x0000000076817000-memory.dmp
memory/1948-301-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-299-0x00000000767D0000-0x0000000076817000-memory.dmp
memory/1948-298-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-297-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-295-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1948-293-0x00000000013D0000-0x0000000001E9A000-memory.dmp
memory/1948-292-0x0000000077690000-0x00000000777A0000-memory.dmp
memory/1488-322-0x000000013F310000-0x000000013F8B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC90.exe
| MD5 | c1676faf8e98cfe50e5d389b3a708782 |
| SHA1 | dff20c566b7c11794192355071aa39dc380ff9ad |
| SHA256 | f4b9582ba9267fbe696cc009978cca85d49daff844ffeaa8ff29998865ac39c2 |
| SHA512 | 9d176f0842dc084553039e1b4426ee69d5a41aad5685a7d63e79e77d5b94157956223a31998141a5d5d57e1933aa729dff871d987fd7331c87669b7b035707bb |
C:\Users\Admin\AppData\Local\Temp\DC90.exe
| MD5 | ce621617765b2f4c62588fd63d601da7 |
| SHA1 | fa5878b70bca938b688800e08a5a0adbeb006bc6 |
| SHA256 | 3aaebb0814dfb6a980bcc4cb89324d7adc6715b29d9287ea2cdf9311dec78228 |
| SHA512 | e97094e68ba3e3ef1742aa86a7479840b8e3e803aff3b335ebd551878d8ae5d451c2ac39b5acf63ee9d96e25099473d8bd898a5cb01d1aa531d03a929495adda |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 491ffa2c209261da15c9a7d3c3fda958 |
| SHA1 | 94cd9203e5c6ce69047048881bae7f827d81a61d |
| SHA256 | b5a1a7c5eb79269b66ff715bc952ada097872a06b96b2eed063e7a237c918f5f |
| SHA512 | a9b1e2aa4eb71c22733e34c625067f74f0f43c336c5e451bb3535b311c1d778c78a148177cef79d9f743a93eff84399fd4612c24934281edc3ceea7ba72eba27 |
memory/1488-353-0x000000013F310000-0x000000013F8B1000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 6f9f6f1689b05710edb8e8fa93ef30a8 |
| SHA1 | f956ca3962550ccecc5b918e24b853e1e75c5c7e |
| SHA256 | fd72036fe403d95e135586e7ddddc48e25c7f47fbcd4e072a518fe0523caca82 |
| SHA512 | 11324ae9d97e439329b186bd536045b604f4782ffc0a0856a980cd476a3dfc4579aca335705f80e978ee272f4f9e9f1294a8758f5aff4606b5bc22a7e5958c25 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 68f6c3c4b30a39ea223ccee648545cbf |
| SHA1 | adc0971a8451882fe9976e464c9d752ecd819ae4 |
| SHA256 | 7b6d1ccb685e1778066e6764213b810d5a397e48023b144fd65cdb434fdbe401 |
| SHA512 | 227de074d7d88bd5b1cb43da520838ca21b289018a42f20eb4becc36c4439e53aeb81f4b237ea0cd914f046f68b7357dece4146440ae76fffeeef19837636d2b |
\Program Files\Google\Chrome\updater.exe
| MD5 | 65787d42a30668ce2e158610db96efb9 |
| SHA1 | 752f0036fd96e123197e4fc2dceb737c95bee06e |
| SHA256 | 09f05c3c4ffdd0e518ccfe71c391a58377d0d6b9734fb3c1126e47fd678c7662 |
| SHA512 | 9383327e4a64ba1aefdd3f2f91ab490623c310a884df3bfe79ec3939bc71070b59fa39fd1ca246ae1c26dd35000c1523679357632423d209a796927d41a08b22 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A9TRWWL7KKRBQA9RWSYA.temp
| MD5 | d0201f21354f15279802b345515514e2 |
| SHA1 | d5c3add6d7bfb8095ecf771c039f0f071bac07ce |
| SHA256 | 8669f500dc20b5cab93732438e39581a964f975bc430c9ae4ef34133ab4bdbd8 |
| SHA512 | c18a22c1280c8bbbd502db4f9b27a0a7b5a66a12681970f21b3493e8ac4b373c4e53b6fd40aaa009fb1f4febdaca15707c54968cf41742014fca17e76ac0d3c8 |
C:\Users\Admin\AppData\Local\Temp\F510.exe
| MD5 | f891d1f27c90b11dbe000ea865af1a96 |
| SHA1 | 7e85383d6bce480cbf42a94db5c3ca4520f163f4 |
| SHA256 | cbadb551a3c5749db2658748ee1ba7bee96c2c72c26de552d48c56b7ec92e3db |
| SHA512 | 749df973669a7330d2355b1c94b7406095fc85c38de9e0b0eadc564028f778de9903c835e5dd59fb4dd50bf9eb6fd871c564e71123ada13b26f17aa217130161 |
C:\Users\Admin\AppData\Local\Temp\F510.exe
| MD5 | 9dc1703963821bd2de64e262d060bc99 |
| SHA1 | 322aa8caceaa1d80f50a0083b9cbdf83179c1c70 |
| SHA256 | ed5e647b1e7a2a7452562bc54ef4087b7d017e1df9e774bcc3a4dc230f272fda |
| SHA512 | 49822b981f8ccbb50131bf08b292696186538e301b9935c23a7e9f67ab3731a7c3bced2d4e091779fd16df6314c1b3ee96451e79a573f5e323b2265b715f192d |
memory/2680-366-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F510.exe
| MD5 | 0b779324a093804b10035423a8fa86d9 |
| SHA1 | 8541648999834e2d92670207bb32ea2a903e7162 |
| SHA256 | 554a3cdd01fea1a0cc97da84f4a91db0354285dace8c86ea9fca985f5eb3c348 |
| SHA512 | d98ad5a07a91e5f802a57c7159734e67b3cc428f0680f67f175b1ce94b82badff2b3cdddae78fcbb8d65aae7e566d35d8ced64b362a1ff3c51814cbd9d591127 |
memory/2680-368-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F510.exe
| MD5 | 30e9586b7f067b74f5266541e068bb49 |
| SHA1 | b4e2950973de4ef606dd960bd9a1785a958b03cc |
| SHA256 | 1829616c35d8b3294b4b5c9dea8912f983e8ada7e31dde3cba04737950addadd |
| SHA512 | 805f55959053260a568dfffad26c7ba09154b048677e7a5304f6fac1b30cc091cbf251f5f9c0f0761d2cadfe218e47d43fc4e1cb85f1f09e3baad4db82fc7e32 |
memory/2680-372-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\F510.exe
| MD5 | f4cd50607d1fbd1da99ffc90a4f77db7 |
| SHA1 | 7d6b1b2ea7ec0676af5645ee1dc2041ec0938837 |
| SHA256 | 22f14c3dfb26b0534e1cc25592da3e277a287bdeafcb1a8f10c129888693dbc4 |
| SHA512 | 2db5530a60145ab97b31f0454fa715b7bc86db34286c8329b920c67e57eddbe6d477cf651167caaa74f9e44f4e96839793839fc0bf0234dd679f40076a9acc98 |
memory/1272-363-0x00000000008D0000-0x0000000000961000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca3ffc0173823448bb0a80b7c2ec4e47 |
| SHA1 | 4824fd698d7c4bd702a89f848b1a1d7fa5caf7d1 |
| SHA256 | 149fe4502903be606f08c3a303ae425bbf9abe174bcaebb78dd33b7cf3e0ee23 |
| SHA512 | 4fe14f63bbfa0616dfab85e31080f216046c1bb12cd863ae783c84ecfff10f225054223ee8b2351e653c3dfd781890def4c334c5326608854fc6ba3527442157 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 10:52
Reported
2023-12-11 10:55
Platform
win10v2004-20231127-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F63.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 4136 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F63.exe |
| PID 3224 wrote to memory of 4136 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F63.exe |
| PID 3224 wrote to memory of 4136 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F63.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"
C:\Users\Admin\AppData\Local\Temp\4F63.exe
C:\Users\Admin\AppData\Local\Temp\4F63.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| NL | 8.238.23.119:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp |
Files
memory/4800-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3224-1-0x0000000000930000-0x0000000000946000-memory.dmp
memory/4800-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4F63.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/4136-12-0x00000000023F0000-0x000000000242C000-memory.dmp
memory/4136-17-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/4136-18-0x00000000078D0000-0x0000000007E74000-memory.dmp
memory/4136-19-0x0000000007400000-0x0000000007492000-memory.dmp
memory/4136-20-0x00000000075F0000-0x0000000007600000-memory.dmp
memory/4136-21-0x00000000075A0000-0x00000000075AA000-memory.dmp
memory/4136-23-0x00000000088F0000-0x0000000008F08000-memory.dmp
memory/4136-24-0x000000000A280000-0x000000000A38A000-memory.dmp
memory/4136-25-0x000000000A170000-0x000000000A182000-memory.dmp
memory/4136-26-0x000000000A1D0000-0x000000000A20C000-memory.dmp
memory/4136-27-0x000000000A210000-0x000000000A25C000-memory.dmp
memory/4136-28-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/4136-29-0x00000000075F0000-0x0000000007600000-memory.dmp