Malware Analysis Report

2025-01-22 08:59

Sample ID 240522-zbveaafe5z
Target Inject.rar
SHA256 b56f3ef36c1a05d0bc5b28b9bc7e38a5f8d8ff49c05fab2c686976fd195f73fa
Tags
redline infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b56f3ef36c1a05d0bc5b28b9bc7e38a5f8d8ff49c05fab2c686976fd195f73fa

Threat Level: Known bad

The file Inject.rar was found to be: Known bad.

Malicious Activity Summary

redline infostealer

RedLine payload

RedLine

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:33

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:33

Reported

2024-05-22 20:36

Platform

win7-20231129-en

Max time kernel

117s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2884 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2884 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2088 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2088 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2088 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Inject.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Inject.rar"

Network

N/A

Files

memory/2720-47-0x000007FEFB5F0000-0x000007FEFB624000-memory.dmp

memory/2720-46-0x000000013F310000-0x000000013F408000-memory.dmp

memory/2720-48-0x000007FEF6640000-0x000007FEF68F4000-memory.dmp

memory/2720-49-0x000007FEF5390000-0x000007FEF643B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:33

Reported

2024-05-22 20:36

Platform

win7-20240221-en

Max time kernel

151s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\msdt.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1136 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1136 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2436 wrote to memory of 2384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
PID 2436 wrote to memory of 2384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
PID 2436 wrote to memory of 2384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
PID 2436 wrote to memory of 2384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
PID 2436 wrote to memory of 1448 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe
PID 2436 wrote to memory of 1448 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe
PID 2436 wrote to memory of 1448 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe
PID 2436 wrote to memory of 1448 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe
PID 1448 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe C:\Windows\SysWOW64\WerFault.exe
PID 1448 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe C:\Windows\SysWOW64\WerFault.exe
PID 1448 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe C:\Windows\SysWOW64\WerFault.exe
PID 1448 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe C:\Windows\SysWOW64\WerFault.exe
PID 1464 wrote to memory of 1544 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe
PID 1464 wrote to memory of 1544 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe
PID 1464 wrote to memory of 1544 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe
PID 612 wrote to memory of 2688 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2688 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2688 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2688 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2688 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2688 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 612 wrote to memory of 2788 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2788 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2788 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2788 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 612 wrote to memory of 2024 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2024 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 612 wrote to memory of 2024 N/A C:\Windows\System32\sdiagnhost.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2024 wrote to memory of 2280 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2024 wrote to memory of 2280 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2024 wrote to memory of 2280 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Inject.rar"

C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe"

C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 508

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\Inject.exe

"C:\Users\Admin\Desktop\Inject.exe"

C:\Windows\system32\pcwrun.exe

C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\Inject.exe"

C:\Windows\System32\msdt.exe

C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW5EA.xml /skip TRUE

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgblmd76.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB47.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ris57lad.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC12.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\92hwy2w2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2A.tmp"

C:\Users\Admin\Desktop\Inject.exe

"C:\Users\Admin\Desktop\Inject.exe"

C:\Users\Admin\Desktop\Inject.exe

"C:\Users\Admin\Desktop\Inject.exe"

Network

Country Destination Domain Proto
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp
RU 5.42.65.101:48790 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe

MD5 5c02826d4b0ee2ba6f50a9fef4f31281
SHA1 57adb9017811b37fe756093c9b7c61181ef2fe8b
SHA256 8ecd9f59a8ddd6a3d3e520fafb41ff63cbe36f881dd250b50b7f9212a6bbac57
SHA512 823b8fe1626bc1bb76c6a78711a9135ca7ca4ca353646d23d27d0b409d10712f0d348de7b7cd3bb49f77b240d5e3f1c7d2379c6fd4688cc7e00e242228ae8183

memory/2384-36-0x0000000000220000-0x0000000000248000-memory.dmp

memory/2236-67-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2236-68-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2228-71-0x00000000003A0000-0x00000000003C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PCW5EA.xml

MD5 52cea1a09a855a37ddf2031c566dee37
SHA1 2e6c9da052cc881f654673b737fe5933d46dcc67
SHA256 9b8316264d3e0cca63d8c655d57eec4da34e23a2b0bb6d1403b73c6f12bedf87
SHA512 b1c41a61c77f1d49c9adaa89fc6ec3f171316c777b97578a890d47112e5a931ed7ecc8d28f96221ca5f81ef9b1ffece0ac0cd25da9d6480ef63e038af3deefb9

C:\Windows\Temp\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\en-US\DiagPackage.dll.mui

MD5 526bcf713fe4662e9f8a245a3a57048f
SHA1 cf0593c3a973495c395bbce779aef8764719abf7
SHA256 c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606
SHA512 df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04

C:\Windows\Temp\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\DiagPackage.dll

MD5 e382ec1c184e7d7d6da1e0b3eacfa84b
SHA1 9a0d95eb339774874f4f0da35d10fd326438b56c
SHA256 786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee
SHA512 019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c

C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\TS_ProgramCompatibilityWizard.ps1

MD5 46e22c2582b54be56d80d7a79fec9bb5
SHA1 604fac637a35f60f5c89d1367c695feb68255ccd
SHA256 459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9
SHA512 a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f

C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\en-US\CL_LocalizationData.psd1

MD5 5e03d8afb0fae97904a14d6b2d1cac9a
SHA1 78f401b1944ed92965d7a48dba036413688f949a
SHA256 538a5f22a12b0be59a7a83e0381c6ff661932f07643a87c2d3a542eade741671
SHA512 884c0494728dd9f1a4fc8092152b2253350304b745d6fc1e4b02c9cd2366bc8c92a169c549cd77bcd67e5e2e515d89d46c1d11de5eeb500d531d87839365cd19

\??\c:\Users\Admin\AppData\Local\Temp\wgblmd76.cmdline

MD5 d4f57b029981f547fcf5b56f02c44fb8
SHA1 ba7c835c9f73406f7c09ec85ebc77b371681ecf0
SHA256 400a6f1980acfc55693df93bf0d9c0f8061b6c85602eb8e646a35ecb38fea0df
SHA512 887514efb35b8a774e5a8b5efba5eb424dd4bd91c0f7439c6c7eb06d61843f4cf7381952fdff3243e48b3968268a934ff14a9a06927981a3e13291f7fea039c3

\??\c:\Users\Admin\AppData\Local\Temp\wgblmd76.0.cs

MD5 b0dc59b099ca7c12fb8ad72d3c50c82c
SHA1 f19e28849921cf51e322824c5a8ae8bc00014cd1
SHA256 e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5
SHA512 852c937d36afe3b6df5826b9f1877d511259e2a0ffcdf229c8c655ced7346b36e526928537386121e3ecbc8b1285144dabe3b760db1873cb3baaf70a0f21c364

\??\c:\Users\Admin\AppData\Local\Temp\CSCB47.tmp

MD5 309b6aa1e087772338955c79dcbd770c
SHA1 66b14f20cfc5d8c6f65f6f321f9dfec84857e64d
SHA256 8c6b963e80933a31e5f68d4a871d2e2012345728314c1c8f91d8dfb02b2596c5
SHA512 2b9fb09b6135a23f0c3c7cce9817f5a7537a6757bb2454304a0fed590011f84833df31027a147c84ad88a6ad4e4d36aaf1e6b23ae51468fe224c03fdff62086b

C:\Users\Admin\AppData\Local\Temp\RESB48.tmp

MD5 66147d04c189134d72d079f5afd6fbff
SHA1 5b25efc922233b28077930bbebe4c953cf646ff3
SHA256 99d1c4ca6ea3381d6d9821f8822a1c11cf6e13d32cf6e5ab9e42d97654772cb3
SHA512 e2e7d729bb3b735fcef21222cc9f8dd762631423de2a8e2fb601def834a8378111f16bbb4a7378341051e67dd4b20c1b8ffaf9e8e1b8cdd99e571256aaee022b

C:\Users\Admin\AppData\Local\Temp\wgblmd76.dll

MD5 dba2f410a775dc1cbd2af6494d8dfd3e
SHA1 b3cb514c08fb22bcd33e46ced65e62d5564347bb
SHA256 274b153c6897c4a42683ec160c9418d5daa80f90bc1614e83f09f0b2ac3d0a37
SHA512 2f2a54485823508985c182d9d186946dd7501ca95d97cab941e883c8196bb8c576d99b0e88201764cbecb8fefb0cab1d4864c0129dd147dc1f721f4baf290eec

C:\Users\Admin\AppData\Local\Temp\wgblmd76.pdb

MD5 bc13b9911d4531101572f8f7f5fc357d
SHA1 af29aa8d1686fb723b695c36a9b6f68537206d8a
SHA256 e0fd61e9dea58829b451f353e9429a5a53f8354956a6464390767a17452582f2
SHA512 4151028179d8a7770e988951e5065597e6655298e40546f8ded34a359a653532ec885192212ec24d5e317ac4ed58fd09ea95f1974cde942fc351fd0c657a0828

memory/612-195-0x0000000002120000-0x0000000002128000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ris57lad.cmdline

MD5 4166c70715f91dddd745ba2531469165
SHA1 cee0826831685cc852d84d14e03e3468c4fffbcb
SHA256 0aaa46633bc97c5bfadebdeb32730af176ca01be4da45f7af151d4a4c886d2d5
SHA512 89627db913432a586e33dee91da069a5e1ba7336eea6500850a9c2e6939836186026404ab3df3d6fd157a5d58592dd97ae6711b5139ad8a1fb7f715cc6680e18

\??\c:\Users\Admin\AppData\Local\Temp\ris57lad.0.cs

MD5 3880de647b10555a534f34d5071fe461
SHA1 38b108ee6ea0f177b5dd52343e2ed74ca6134ca1
SHA256 f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
SHA512 2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

\??\c:\Users\Admin\AppData\Local\Temp\CSCC12.tmp

MD5 6d946ca59a92163b4b98487eb4f1d729
SHA1 aada3be2f447249c750f46108985ea0bdbd8ddcf
SHA256 d8fb73952950e9cd9d8a398f9038dc0e67d29148120286c6b09e42b8a63974d8
SHA512 d637ac22819533d4e98bdb7fa1aa9e6aad1429d05f58eb0e5f844c6175ba3d0efffd3c207947402847e166537273ecf6cc228c9b0a7d9b3a654868c525d9f4a5

C:\Users\Admin\AppData\Local\Temp\ris57lad.pdb

MD5 dea53fdef6a6ffbbdbd4a0d49e932ba7
SHA1 4ad9283b4662192d37bedf08b25e29c23be22aed
SHA256 92d6626682addc5787570f32bebbc4ec7b8b3902139a4cf015ccb87463227b59
SHA512 7168c56bcd904a0083ab921f82828100411bce1211bdb64b98e431b113bc09fdf5b2dce8fc8a01433cb2aea9d082e642a14caed2503578907e43771f206d7aff

memory/612-211-0x0000000002130000-0x0000000002138000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ris57lad.dll

MD5 0cbd60b8027d1f7e57fd5b77ad9e1d1a
SHA1 b883ae4fce658f9f16dfbefed8b6a8307a9ea8ab
SHA256 b39b746ce1d3cd3281662e0d644e5e63c9f9e618d05e810cb0791c469669249f
SHA512 214162a6428a3f31bf0687af9c31637e85975bafff336afda7867aa3e169dd3797cdcbc21457912433450126ad81e5843ceed8bd1e2fdf919cae8041d93ec3f0

C:\Users\Admin\AppData\Local\Temp\RESC13.tmp

MD5 8fde262d549dc58be7e2673eb53a82b2
SHA1 2e4d1fb80b45186252798ab36b3f1574403ccd1e
SHA256 5ec4430d336f380842a553c79119dfc1bf3272752752d6d789934cd14a4e0a33
SHA512 6842ab317020edc3c603d2d16712519116e7af26387cde178a322538ebf1419d13420e4228b3920e18785e37ee07281ffe72915e319b619cb95205bcce4bd84f

C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\RS_ProgramCompatibilityWizard.ps1

MD5 367fe5f4c6db87e1600f46687e5aac54
SHA1 9807dc03ea1ecf6ab12f36feec43e2a635ebe145
SHA256 177625ac9b07bbffcbbb47101c2d1121f47b03b42226861bfd7974b9cebc0c98
SHA512 694e1a2c2c508aa6105872d867981431ef895834703ab498c2483630a97a46cbc1ecff9a62857fbebeb85cf2ef9c4dc51e4b6f20cf74c65c1b67f68acabfa303

\??\c:\Users\Admin\AppData\Local\Temp\92hwy2w2.cmdline

MD5 871c22a12bec1db0ea5db8761009722b
SHA1 d9f561387679350eb27904481d7a4b2cfa5b0230
SHA256 f2c5ec75f80719ec6aacb7d2ff62d0b19c91a72738d788596dd1ba59260baa45
SHA512 f7b6262e11ea101a76fbdfe3cfdab8aa9c6edac8ec0c6ecfb134b03136074b4b862adcd2e6e59904e1afa51c4f70eb65b4cec25f82b1ec439482ee4987b64590

\??\c:\Users\Admin\AppData\Local\Temp\92hwy2w2.0.cs

MD5 252f38959fe104203e386334ad7affc2
SHA1 2c8d8a8f2952d79afbb9f1c39407aed139a6ca60
SHA256 32d6b5a428a39416d88b77bcb7569c68ece04d78805ee8200275ba37b4648216
SHA512 7a7cb397908f0b68255f44d13b56f24b98566445f48f609c04093e9f319b3b1e06df22a5a0783faa59c12e221d3597a8a950d1c10f5a3502ddb091ebdd362421

\??\c:\Users\Admin\AppData\Local\Temp\CSCD2A.tmp

MD5 57dc07e980f13389878439a464b2e435
SHA1 047dd33bf46d7b1ea76fa84fde754224d5ee3316
SHA256 916ff5b4b1aa01b2b95685d493547931934167502f7e1b9c6915e3cd90346bc1
SHA512 268bfc7693a24b7b67852cb3fdfc96c2063c9d59be3e041c0b314f297349d3b8e606d5264c2209019b988924ccfa2b9ee5d33846ab3dffe548a36f0fe53698e6

C:\Users\Admin\AppData\Local\Temp\RESD2B.tmp

MD5 96fa3df76d288bfde26d505aacfc3422
SHA1 98cc4789a035cd02719c5b47a2a393eb88ff68f7
SHA256 d2309bac19d9b2a2fd54c67189d94d53a6a56d2ef5cb7bf50d7801f1dc0f08d0
SHA512 355e125b6190216f89088ae59c853c617c7a15abc32bb0b46960efaa7f3d8dd2641f2c4e71d910cd7b5e8b51511ed9a24d5f1b55b5660c0a6a836cf2094976ce

memory/612-228-0x0000000001C90000-0x0000000001C98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92hwy2w2.pdb

MD5 e22523d7f3f8d345ec4738f6a7d95849
SHA1 86225e6612cab7478efc87b3e37f2f38ae74043e
SHA256 20c4232fcd1ec89b1361a2cba690f22d65a5d684870e985961783c8de8fa3036
SHA512 d39705814d24669c9b4193be6715a9fda7f3020171e31f86f4c6efed78e86fcc2fa360018079a0c9827be14d015cde309ad36152505a15609595a49c629f701a

C:\Users\Admin\AppData\Local\Temp\92hwy2w2.dll

MD5 cd3650dfebd6eb7c27d00807669121b2
SHA1 f26f944e8b8a015ff97fd71c4455422d9961c3cb
SHA256 04add47eee6aaf647463c27162440b8666683c1c51d97ae4961f6a08a9cfb256
SHA512 a9481e48bda3c6670690cc23a7658b66ff7c191cfcc32e76b8505b943b3c2c7bbc12922c5cc4a08e2d8c700ef6c57c8505e196330593c812b4c6766b370c28fd

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024052220.000\PCW.0.debugreport.xml

MD5 8b0008ae16df7039d0953e00ee2b0298
SHA1 bc51b87c24d6e833d0c09b19d06eda728695a1d5
SHA256 ee2215ac05ab7b32e39ff9645a33391329ba831b0cf1b18fe16d2e267d43a204
SHA512 53da63f5cef91c2658d4f4a6842aaea77d15279bb2a44ea2db82d6edb405f567e19e42ea7c1f0d670a65be15335d5e2ecafa785817eeba21618776f09873088d

memory/2416-275-0x0000000000450000-0x0000000000478000-memory.dmp