Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-dja5qacfa6
Target aa96cbc9b53138883480cee00d2e6e41.exe
SHA256 0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79
Tags
smokeloader redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79

Threat Level: Known bad

The file aa96cbc9b53138883480cee00d2e6e41.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer spyware stealer trojan

SmokeLoader

RedLine payload

Smokeloader family

RedLine

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:01

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:04

Platform

win7-20231020-en

Max time kernel

115s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF79.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe
PID 1360 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe
PID 1360 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe
PID 1360 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\AA15.exe
PID 1360 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF79.exe
PID 1360 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF79.exe
PID 1360 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF79.exe
PID 1360 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF79.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\AA15.exe

C:\Users\Admin\AppData\Local\Temp\AA15.exe

C:\Users\Admin\AppData\Local\Temp\BF79.exe

C:\Users\Admin\AppData\Local\Temp\BF79.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\C3ED.exe

C:\Users\Admin\AppData\Local\Temp\C3ED.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp" /SL5="$201AC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211030335.log C:\Windows\Logs\CBS\CbsPersist_20231211030335.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\A12.exe

C:\Users\Admin\AppData\Local\Temp\A12.exe

C:\Users\Admin\AppData\Local\Temp\145F.exe

C:\Users\Admin\AppData\Local\Temp\145F.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2052-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2052-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1360-1-0x0000000002690000-0x00000000026A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AA15.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2352-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/2352-17-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2352-18-0x0000000004C70000-0x0000000004CB0000-memory.dmp

memory/2352-21-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2352-22-0x0000000004C70000-0x0000000004CB0000-memory.dmp

memory/2352-24-0x0000000074DC0000-0x00000000754AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF79.exe

MD5 a2d34f487492505c3a4d29c665d580fd
SHA1 0b43d59b62214ebb62d440ecf1a297524275c1cd
SHA256 e09db09c99bee676a252395a612bbc74f6fe942fcdb7c5957ce3d1c05ff8b8d5
SHA512 822caee7b53ac7197db8fd61bab57823d25546970007ca7e96efccabe7610cf387d2f50a3247ff270c2f32a28640c7137816f1cbc935ee5c1b9a356b01595b2b

C:\Users\Admin\AppData\Local\Temp\BF79.exe

MD5 5ddd1b67d1e3b777b6a4de9352677a2b
SHA1 83fa1b212a3576cd469322c3faa47ed318536ace
SHA256 4981b761dd9c2a8545b8fd0b736a2ea7e0fff01d0f7a907c73d1224ee3209770
SHA512 3fd81d6279245d3b5af0319a8126c2dec54d61231f60a4aa811cced1986d98cc4c27c172b52e1d4d870bb482a648b834b56bde1e31c89ea270627b0953b33cb9

memory/2872-30-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2872-31-0x00000000009A0000-0x0000000001E56000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 473e906163097f650671b6b9ecea2f09
SHA1 b2b6b07126e9f79fef521c068e1dd95df2e02b27
SHA256 a218d050eebbd313db0310e7bac3d0fa9af0ada11a815f743766a68fdb4e4d71
SHA512 bc8cd3a66578232e6601f7700379e2d6be028ccf3bbfb89971770d2a81765a56247dbc5d960729b63f91fb0af93ffd5e47f08afa372250cc436351870553cbfd

C:\Users\Admin\AppData\Local\Temp\C3ED.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6c11a7550d0436faddf82c93f0e617b3
SHA1 fc782881299704295b9afab5573e3a352f9813af
SHA256 3a2deb3cd3f4a20400bce0d996b819667be9f03b5d4c63478b4a91a6cf3923e6
SHA512 22a80ce0e452aed64e6fb1d2c81647f97ed3c0f2ba5758573682b8c34b04eaa91f388a2d815f9152d2eec810dda3c58e4d9d4e00b1ef07af0c2b30f239d953cb

memory/1616-41-0x0000000000F70000-0x0000000000FAC000-memory.dmp

memory/1616-44-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/1616-47-0x0000000007330000-0x0000000007370000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 624211215e9392abb34db7bfcde96f6f
SHA1 a9d1719ba7f5250083874f00e96ebfa82cf96028
SHA256 c1b4419d8908483170bdfc67953f3a8f449e9ea1f3488b9f46edecf62ab6bc74
SHA512 1fd0186b23878faa5ae9b00ed149ec716428329d193f25f5f661b0263245809921e18b89e379059dfff08e24838221aa2397a401c276251d2a66c2e54d8d6595

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c2c962f7e5ca61b9bd680c05b25cbeb3
SHA1 eada62e621a42bc005c6f155c88906a5f9ae4712
SHA256 bc06fe6a092b264ce4f3594e41ddee768c8ed56cc106f4845332968d0fbc5af0
SHA512 00aeb914ff7f606a3a75ab7830d938763fd7510928d54159a16e08b7c3c4dcf9bdcde6f506fbecb5325f8987805410957e55d8ed6610f3563fb4a5f4e3c9ccef

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cf4f79f9a0a5996e6e446b25015e250c
SHA1 ce1e4bc9fcaba89af7257e5aba6faf9efae4bb5f
SHA256 18f75ce80aeb4ba1b93d1dca323c3328cf71967bc2f043073efcd12fa6920c38
SHA512 3241828e23c2620f82ee263b17c144393370bfc23290f540fabb049c75fc3dca266d8598f7171e6a4fe4b435b45061a3d3450e83705ade6221091741c8807900

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d9ff16d3e10501cdbd582d1f573e0bc9
SHA1 e71534b80a2241847d0731dd4b18614d52292b36
SHA256 e09be87cd148dcbed444e2bd03d77ea021e8f1cc0525ee90b28c46b41d239410
SHA512 98ec69fad072452d3d45327ab8beac0e55d8b27255453160a6f5b51faaed13b63b74bb269417fb231e2470a0882106b8067d56b84ccf59fadadc2321f7c0733e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9995f4332a1c59e4139dcd8d77e3b237
SHA1 9098906576be6a41c303d58755f92f5b68ac95df
SHA256 debdb3adc5d6cf6f8527d9d98bae7b56a260ea46d4462dbde4e68fdf6d0b67ba
SHA512 91b1dcc1411c5cb828e0e02e815ab627f2d98fb8a5293e3e3303f0c44e8400278aef50b42e4c2a2b0ea429ad0eecb979a8da87ccbb1ad620882c93af7da87f95

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 54066f6e6c0505324a89aef8b072085c
SHA1 24199ba81d4f092183841c0ff71fb7efde143156
SHA256 58c9b874eb77f23a82b263d5953766907e192316031ab22ce453661e8e185371
SHA512 085765ce3f7f1c2db5fb5684b8adc501750dbe0d277bf5e682e8d2cd594dd85b9736c9bfe187b2ed8ae67f05688d04b52926484385a5fc3499803bd0e65825d3

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 22607ed59c2ba0a1fc56a48ebb927b81
SHA1 a0fb06a72a740b26dc36889ea0fdf01a1cdb37a4
SHA256 79e3dfa719e18dc57d3855361df22028b065b004b59ee15db64a0351a046ff2d
SHA512 cb4b15715307d3d7a796b579a2f869a313a7a95d21643be023759b30dd499915860ca03104870ed9bb1bbcaa80e30275750da3f30fded57e440bcf630b50c619

memory/1816-72-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3000-73-0x00000000029A0000-0x0000000002D98000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d9dd5d8464c17cecf065ec6f2770b811
SHA1 0de8290dde3fa4957e8a56a7b8277e30915348d3
SHA256 d16607fb2f7156ea472225df7eb7098eb40857e222e028cddd6d796136e6855f
SHA512 7e04ae8324fd94b77a2140e0e8efcbd29375a54d67dfde1afbc8f1c2a6f347df7e19f9dd611109fac6d76f365cefbcd8785258654cab717bb01dd23b7ab674d1

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a00642e3f356e558c02e147e63d2d5cf
SHA1 5f7b61f2fbae3879e531f6b6b7142cc3a42bc62c
SHA256 f2b49295b14dc2739ce49da37f9da1f9bdac10824a0aa44d021e5562395dbe77
SHA512 38b7c3222f703cdc8a8ea8e2311178c3d30c081fd4edfeab6ea84df002f875510c36860e76a42c74c6f4635b3e742ab4ffda0644a85c0e0e09fb0f0cdb0628e0

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 ef80e545bda07a065e4946c8299a8bfa
SHA1 8278c464d1d01d321db1b0d72123a95ce915a3fd
SHA256 c78ed27985deafd108065d14eb5b5ab256f4ed1bee240b95ae546530c167ccc3
SHA512 8b2d57a4f7818940d34f8f43a099ef7ae7e4e0ae706bce2319acd68578a8c0a7f97e7dfcf3e306b238ab165979d3af33f0bcccf683cd25f81e84ebf2fb18bb82

memory/2072-79-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 11e046ad6d93285b26d8caecb0d42b3c
SHA1 185610b49bf9497af8d51702a7f99acc656d58a3
SHA256 4915d336378c09600d8323ef2fdf088666e72ac9af13d8bf51bdec28c2aafa0b
SHA512 6570354a47d2fcdcaeea99b080da6f8602bf661040f8b60c276a42a3e417b6eaded8e5e61f6ebf8df5ea1007132e24b80cbfd0ba196eaba39a56da9c56d6264d

memory/2872-90-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/3000-89-0x0000000002DA0000-0x000000000368B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp

MD5 4ca7804861f34293953273ba6f678030
SHA1 4038f38cc42e89af57aa990907b59e8b395737c1
SHA256 2314e965bb8073acbacc1372c484e95b73b35d053f289596207d49f6d521cd39
SHA512 7373e2374b3382a9165d2348a6eae9955f5c3bc47ccac5ddfa708135354d2601ccb80ba9ce49f49c3074af2ce7ca411646eb1d1efdb0dde4ebb6583307a9d20c

C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp

MD5 b8aa886f0630371e40fde27c7c149b38
SHA1 0952896cccd46dd59f11fef05d5404ba0aeb93d6
SHA256 8fa1cf8dad4392e595e0322c03648fe654a263d10af6915e4f7a1a15b2097321
SHA512 07cd80fc66f1f076cc6cac5803c0cd87ed2874ff579691623bcdac7fad15e7ad0dbe23392d1ce0640b314daa4080fbc861d2688dbd2c0fe7277b55ca0551facc

memory/3000-85-0x00000000029A0000-0x0000000002D98000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-ct0ul.tmp\tuc3.tmp

MD5 67aa0877ca4318cd5355ba3ee4abc9f2
SHA1 6da238760f3257fe72a486470be3169801e79dd8
SHA256 a7df75b4bfa70628297596e2c87c6e76cebae915a291372df4c27211f14ccef2
SHA512 0f04a13ca0a958c919337e04aa16557e58cea828cf59d12ee9c339dbb9abfd3c0dbf7cff37bb38c9f1c9d3fb017a3fd04aab79ab7b25ddb6930502da8a4563bc

memory/3000-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/968-110-0x00000000002C0000-0x00000000002C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 4aa67e3c9db282c169fa7b73a38fb38f
SHA1 506ecc21dfc1febc69f151610f059aac64a4c940
SHA256 64cd120ef5bde2fab8cc4d1f7fab7ad62cf1e26cb51c0da6451b2caef706d9ea
SHA512 7d513ed005bcfc634de3a730cbde9c9a4772df311cdcb864e80ffcfc7c5a92ca63cfdc5aa647e3689f8b82e0fc5314f8be062846417b8e338719119b805d0e5a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ea746cf77373e4a9e0c2cfb3fb9f9ded
SHA1 d1c03922f998f23c47cab26defe4d030f7fb2ee5
SHA256 f1cf81487a6f8f8469a1a0ff8640b5a51ad2687c280b9c699b88f552942f7a88
SHA512 01264a4fc0090c0c295fecf1be3063da5223932cf0f1f8fef4ac4855afb16d993c5294c60f2208d4629edc201c262ad248f971315d8d92961523ac3617fc0ec2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7e5d197cffafa54582741553472ff5b5
SHA1 5860466ced20fa0f5d06dba7e7a9eaf71e188e6d
SHA256 3b96a7128847158aa26309f5fff742483bd584e9a9be32d63cc9d589f5f2474d
SHA512 549639761a5f6ba73733f9b741d1f09ac61339c3fa11bda4f08956e0205b6dff1cb278392497bbdbbe71d903b2e4d886b702622777bce66123aa8f5ceb1ccf12

memory/3000-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3000-125-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/3000-126-0x00000000029A0000-0x0000000002D98000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 fd3871aa776be4b77fcc9437f7c34988
SHA1 a05c594014261776991cadbfe85625266d0bc736
SHA256 ddf1ca3bdce5292951c2226539137aeaa2ff11e23a4a433c70c0a303bb4bb01f
SHA512 c205f2a8d0b6af72f59ca091287af2c9f914af327e85cca7db39bd3076150420d7fb9000bd4ff663567e25c09325f2d19cec6536e7669295ea32b7700e47e764

memory/2388-130-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1616-135-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2136-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2388-134-0x00000000001B0000-0x00000000001B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 aada6a7d26525c1420a2570d4232b33d
SHA1 fe8a416a5deaca6059430d4d70835c39e6b8af19
SHA256 603b438c791de59e45c504ce9520e46b56a0f408baedba74040479b4b6f1f6a4
SHA512 9ecb3623aba4a4f46a1c848809d66901e38f2df1648b64d5c9cda5e0cc8676406054adad1d3fd54a3c019134220434a6ba6c6782dd0c679de61a8ba0ea7df569

memory/2136-132-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2136-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 0f2d8e83402b24bb428f9f06120eea66
SHA1 0a217fcaea5299640ed0ed3da6484e9c7d1a0eab
SHA256 0219854891ddb759613b777a89c258554d37083dcd7fbd754a8ec4d29ca69113
SHA512 880329f313941193bc0b0ee5c894a58039f8bd815ce9be473ed7c86b26eb441337f7b28d60c210b3f8517997e2c9a5510ab1d9b73613d3dc4657cd4226f9f46c

memory/1096-137-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/1616-138-0x0000000007330000-0x0000000007370000-memory.dmp

memory/1816-140-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1096-141-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/1816-139-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1096-143-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2072-142-0x0000000000400000-0x0000000000414000-memory.dmp

\Windows\rss\csrss.exe

MD5 5b5d608c5c8bf40ffde439859bde74db
SHA1 a9aec423e8a1dd1af1fe4625971fa785da9b827c
SHA256 7d140eee1d831c0ac4b3dfc8fce8352328fea2cce3aa9962d58cdf9c5722c36c
SHA512 6ea6c18890fd30c2169b5a7f49541ecdbd6fb93ca7e28ba048525941a4f54bff7e12d3e174e4a87aa4c90056b2def5e49aada79bee3e54c47988650be700d8ed

\Windows\rss\csrss.exe

MD5 9f75047bbea361784c278f5ab697045b
SHA1 ee1f2c7e0fdfe8d00c06c65c7e8b54f8f660403b
SHA256 0e6a22012ac286e0690ada41e1688233f59a1a2c638f4857f8331576b96dc91b
SHA512 8bd68492e6b8bf0c08ea25562fa4f0e096984bf6b8e34998e5a09e8b3e7a8870b8208afc7394841fe392a1e3176086c7023a70cedb8d5525e2d9b969b35e9654

C:\Windows\rss\csrss.exe

MD5 6e8570f150d99e5b4aa1a2c150c033f0
SHA1 9bda8a95b02e5ef3a4bf699867b2bb389f18fed1
SHA256 44c4882f39efb4ccbc404e8e25324882845870e9cecc74de0377d4b760967ac5
SHA512 7be43b871a79bd88563be9dbebd082d7f81480bd1ba352e2a57651f03bdbcdbf2b38c4e07dc7f3b1a1f98653f2b8b09ac519f55e687219e8cd368bfd98ed7548

memory/1360-153-0x0000000002990000-0x00000000029A6000-memory.dmp

memory/2136-154-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1096-152-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1528-170-0x000000013FC60000-0x0000000140201000-memory.dmp

memory/968-171-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2984-172-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2984-173-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2984-174-0x00000000029C0000-0x00000000032AB000-memory.dmp

memory/2984-176-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db2eb4a282c1afd9d2a0675c692b7b8a
SHA1 d91aa006ad2ffd3ec726c3e559c78fafe36bd743
SHA256 51b2945f6a147f72bb2257d6d386d0e29665ac79558f57451f7e5499a24d48f6
SHA512 0f78d7b9008c5f4853319e1df297b2b16011d516e49df604d05c749bef469833d059d7b3255fe1784b68627fa369630d28cf71cb575588c7c540ef5807801449

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 2a0c412236ca61d33da9832d87cf49db
SHA1 120732f6ca1a6f9648c7a065b3ba2e5be600f096
SHA256 2cbc78f333e0bcb5d731f78faa3ccb25ec2d3ea153b2817f54564066823a20cb
SHA512 20ce1581c59625e8376735c8eae2bfdaf951b8c8582614d3474829b9ddcc1c7f31f78e488937fa6eaa1d80141727b5a312122ceb06cb1ddc18b0dda96f004c56

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 c9ff7263f937c6d9c3a84d9bf6645cba
SHA1 dd13bc685ab187e9431527f6a0bbeed13190c037
SHA256 be4ff1ee1b61cee86931c055a2632fd984b58b1282a915c8a7ff569bc81163da
SHA512 495cde4e76dd8d27e8ab662082296a3ac53ab9a7d20ec3b9e4ea3b3a4dc04626cbdc7894f304c875827eae19c3a4b1b00c313947d7b525cb1db87452a6ff30ef

memory/472-186-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 b54fc8e1c14d9c052047bc3ee04d8909
SHA1 ecbe4067ba05610f0da436c5dace4c33b2a97af8
SHA256 06171a75c4aab21669efa1aecf99719991bf7f2579bbfcfc253c0eb55c7a4a57
SHA512 9fc8f8aa47ec57dbcc32ba31795abf073b40ca007804ee497a8582826fc5c232f912edb231d42f13696a433f2bd7868e90bcf6ba886b90e5aabd642a066ab4de

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 d9e8880361edc3df8810d9b53ee95a00
SHA1 291c87d4f0c7b3bb56a9f42ba071c33b68203e06
SHA256 00963ea21e1c6dfe97199081c723a477c1942d1b79f0bbaa5be088b043d839bb
SHA512 b50dadd4a228a39be3af2de9e840c545fe2b1f4260d6c65852f8c26eb0c1dae549d9fb3e7fc04017bff73501df5835b2557f6e4afd767fa7bffa1b57ae4f88a5

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a56b01e29e331eb1b9e70922a50c6560
SHA1 51f2ea56da89d4f338327e7958a9912df9950cf2
SHA256 5cd514e1f1a09877e4f9481a2c9e50e31ab82f93240c22164beaaeee4003a070
SHA512 24b1396073c205b4f3ae550f994f7dd591f63e132d7bb399a64614f48b713e541239c86dd302cc91470f542e646aacd97ca7ca01fb6a6b6cfbf2d3588f3764f7

memory/472-196-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 891fdaebca148e9d1600c653217b3b45
SHA1 684f95754e46d259e19a155111391b54b59b9ed2
SHA256 6f8b75b83bce738e519073c25cb746bbe0ce3cf021886ab527030f514ea4a6aa
SHA512 bb7405833af11326e011ac91a9233bfb52707428c15ed541c3896fa18d43f49697cd0855feddc48b9fa96e5f5cd7467c01821f1b354368e0f4e28cdff95f5db0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 09f60c9adf9c5d4bde3753f745c42dfb
SHA1 0cd7ab31012daafab607967288089433dff2e6f5
SHA256 05acad57c5be3b51d1854fb7dfa88aed42a0e6951b8e39c56050208aa627c0f0
SHA512 f4b47de156eabce8f995fb070d632a4644a1d0268b696a3512a3add95e43cadae3bddcf939c3af27dc4e14cb313ba1ab0d1a940be38407e146dc0a49ac3a1e41

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 c3db0525eb6c8b7378be1a98cb044aaa
SHA1 9f6404006f4f93f52419bad19b46f13b29e64376
SHA256 3b6d5126c6071d57cfa640333634818c3cce4dfafa815f61b4fc9717e0fa52a1
SHA512 9ecaeef7c06eb34cb053fcbf3ea522a09825cdf47bab87a78f81b552b0e0c7bddbbd96140fae8860e513ac1d6d78cb07f29ee6526336557b0472e8aef018a26d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 7c4759c93de3d9ccdf58a79657968be2
SHA1 924e2aa19a265ce7f1f81ca5df4863b0a5069a3e
SHA256 13fca81976161ee5e53b48388b08b6259cd1949e1492a2ba4be4589603f9f6d1
SHA512 e5fd4248b23ca62288ba4499465d90d0c98f757e042d4bfd7acbee453e47f621ca5ebb365f59e989eda2b5fa0af6d4e98ff7a824b75ff1c7b22a862bf419c92c

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 5208d15c5aa45a7a5b231f360435aa58
SHA1 f82fbbcf0e6663c2172a3868ce11612926260c86
SHA256 f3d74b9a1c67479dd8ccf90e66c129861c5f64cffea3542742d52e3ff750f895
SHA512 d07f60c8b76851ef0a90fa590d90b1610e62004aa5ec3ce39e4c19d7b3f152e8e2749e1e0fa6e98b6876dbc0662c18eb3dcd55548397b26d9c5c42a9fc0d406a

C:\Users\Admin\AppData\Local\Temp\A12.exe

MD5 8d3ec9388e8cd902cdcff2ed5842f2e1
SHA1 08f9ec1d7b668ad8bcef376afcb6b022d7c09058
SHA256 7d82d21a8c54089b0ed1096ae15e8dac29525ba17f733f6d36a7511af241bc68
SHA512 ded0172d693b673182a024af26c649f075d695a9b6b9ed8897a8b2893305f76b4c0176205d77b7025b6ad97c0d7c7a5ae7656af260ab846a816a449c67255de8

memory/2252-220-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2252-219-0x00000000002D0000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A12.exe

MD5 11469e8a1f981fead8bca5185f8614fc
SHA1 9b6a564c4f7beaf0a6c6df6261b0e60b54ad44cf
SHA256 27f1dc9f3574d0d2f82b3186bf22edf1a8b0085825fa1124065456806299ad35
SHA512 7226b8539ea230a289ac618e1a1aec1ef33218377d7dd156d6ad095171aa413160f663e7ff061eba512751db8c528015b84312282b2353509106ebabb00882ce

memory/2252-221-0x00000000052C0000-0x0000000005300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC33.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 025b48ee6f01ac7ad5a8dcb1e1f7c962
SHA1 eff7dcd06b47ee589ca1e6cc41c364d5c60076ec
SHA256 43d72bffa20b1073deb382a82efc6c6788049aa7713238b661cb3bf2aaea2718
SHA512 b959364d9d0949f9653651f2c50499a11e54529e899deb05ab9558e9de5c953d8ae7f238a5df9d0800ca02ba30fe7dae38a253c9700ac7347725d0209d0cec66

C:\Users\Admin\AppData\Local\Temp\TarDA1.tmp

MD5 9f6f90901318c5c99b1a879bc731466c
SHA1 e362e43fe1a75091582992898f44b3a10fd628a9
SHA256 c70d0698adac8a873bb318f294ab9a83858a19a3bad8315b083062e12f6e7727
SHA512 9c1b09eca74537ef06fe54f7636e39f1f00de2425d1e09960d0d4bb35726737afb729e4502b406929e795121ab5bd51e9fe0792858bf8ca3e3818fbcb393ec55

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:01

Reported

2023-12-11 03:04

Platform

win10v2004-20231127-en

Max time kernel

102s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C35B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A205.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35B.exe
PID 3292 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35B.exe
PID 3292 wrote to memory of 3376 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35B.exe
PID 3292 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CA5.exe
PID 3292 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CA5.exe
PID 3292 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CA5.exe
PID 3292 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\A205.exe
PID 3292 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\A205.exe
PID 3292 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\A205.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe

"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"

C:\Users\Admin\AppData\Local\Temp\C35B.exe

C:\Users\Admin\AppData\Local\Temp\C35B.exe

C:\Users\Admin\AppData\Local\Temp\9CA5.exe

C:\Users\Admin\AppData\Local\Temp\9CA5.exe

C:\Users\Admin\AppData\Local\Temp\A205.exe

C:\Users\Admin\AppData\Local\Temp\A205.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp" /SL5="$801C4,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\C899.exe

C:\Users\Admin\AppData\Local\Temp\C899.exe

C:\Users\Admin\AppData\Local\Temp\D79D.exe

C:\Users\Admin\AppData\Local\Temp\D79D.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4516-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3292-1-0x0000000002390000-0x00000000023A6000-memory.dmp

memory/4516-3-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C35B.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\9CA5.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

C:\Users\Admin\AppData\Local\Temp\A205.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/3832-20-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3124-21-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3124-22-0x0000000000200000-0x000000000023C000-memory.dmp

memory/3832-23-0x0000000000780000-0x0000000001C36000-memory.dmp

memory/3124-24-0x0000000007480000-0x0000000007A24000-memory.dmp

memory/3124-25-0x0000000006FB0000-0x0000000007042000-memory.dmp

memory/3124-27-0x0000000007180000-0x0000000007190000-memory.dmp

memory/3124-28-0x0000000007160000-0x000000000716A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

memory/3124-38-0x0000000008050000-0x0000000008668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/3124-48-0x0000000007240000-0x0000000007252000-memory.dmp

memory/3124-44-0x0000000007A30000-0x0000000007B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7e41a1c24fc929332c543bbfcfe35e1c
SHA1 24bac343b1f9274d58000338ad6ca952d279e506
SHA256 a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe
SHA512 3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 66de89cce68597992b191cdeb3315608
SHA1 5cf6e0281c763e3e19dcab2e51f60cf2e228b547
SHA256 24911be65b64e351baf52569600c765a87be757ae267331b0ab733f421f0043f
SHA512 62942fffb007857fcb9c6e7dc6f0ccce71bdb47abe8005866e75198aad9d943aebedb73f050159c573f1019358e44537f94e2a175456833d9915d4b035f834d4

memory/3124-59-0x00000000072A0000-0x00000000072DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ffc2a021479aa849e8a49f2998867f28
SHA1 03f251e2ee97c35985c95edaa874dd95b28b63aa
SHA256 447def5e41f9a1b3e57eae085d1289689d42a138395a54e8af046557e6bca193
SHA512 2228279ad8179545b3064bb36ec051e9719c8d03e472b7df67519a7e06702217011a8b4763e4a6e9a09f1333e2bef55f0d95f20b607614e0b4e97f739076d455

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e304dd37525095c4b9a36b2a56fdafe9
SHA1 db85880cf6177ae268473f1932f57978b77766d0
SHA256 fcae9d5dad0ac7fc09e21aac66417762ae3ce830cb7483cd082e49fcc770e419
SHA512 39c40b9f9698d83c030ff75a1edef84a1ace004ad3d6c7c8155149c20c8a81520af1ff68748ecd158216117e9bec39e5b08b6a9987e8a2a8a14cada00e81aa7f

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f20c1b59a919b1e412c1de88d0b9e1ea
SHA1 069a5af013c041fcb78525ae68c6c8c6da84c789
SHA256 4e7a8dd6276583bd9600ae16c8724459897dd13c5bdcb2124f245c803dee0eb7
SHA512 bf17ac4fe4f6e410613f63c1418e911ee36b202db770e50563008edb62a3324b3036002668df040b8e58cc5aa38b2e87a25d69f2a6b2ab78e5f860a53fdfa15f

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 d7366a2bdcd1d261bee21a0cf2545b9b
SHA1 c192d32c6f19067902a0a60db9b2e104711d6f5e
SHA256 9c71381a583a3657051a5d09560cf4d36411c6e93e0bc6c487f433cd31223db7
SHA512 388798bdad8f550451cbf625765e41ce96605dea1c9f2fef3d6c51d1766d628ec91fb8a17f6c51e66a68a5a8e474d70d3041e842434035c8d582bc9af20fed48

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e51631776ba9e9b5aeead61bea651b76
SHA1 47654f815ee15a01bf7bd662b27358d5700316af
SHA256 9fdae4bae589d7def17c618cbf42ee4c782634338bcbe0b9b013a9c6c965aca2
SHA512 4642de47c6ee1a5aa22cce664103c81d9a9dff8fd7b5a1c2cdce118c13fdf9d24385c70c558215c943a8a42ac17e7cd58be22e6806f58f9b6720934732e54019

memory/3124-73-0x00000000072F0000-0x000000000733C000-memory.dmp

memory/2988-74-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 421ef4dbe8a259c2d4130b4220d504f5
SHA1 84d95e2d6d3a246e9a7b327ff52284e38c316680
SHA256 d759a771ccadcdcd3cdf18f6345cd0748f6eda876294cf00f974189d815b4ed4
SHA512 3e1a3c9f1bafb14fa07f1ebb135d0379ac497e475d79158dfd0b5c02079af9f22cc54d537fa73c6a4a67a6ad5f88ca9159c1873a6e87724bdd3d0e58eae49377

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 04cc956dec03d238571c1db53f8d1bcb
SHA1 fd18a6f18cd2717821b9e54f0325d3a8db66a1cf
SHA256 dfc5cb8800d467acf4089ecbae8872d2d6606bb63b71aa77d00b6bdbc5dde420
SHA512 d7594603e1f08045ae1b05af8da496b3e247f8b3aef617e35dd71d02e3daa295dc51c13a33a4ef0b332e2f657c7cb9fa1ff6f6d78a756eaa37c26c1f961c9eef

C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

C:\Users\Admin\AppData\Local\Temp\C899.exe

MD5 10a7d69cbd21cea6d41ae8f3552cbc42
SHA1 dcd78b08a28b642c442cce26a5d446d787ffd5cc
SHA256 8d94d29b15cbc3e250472461250fa1fc794a2022159c63efed70ff35d222c750
SHA512 f5a119a9d7f8a6946ddbc7d695c81ec80fb9c360a3db69f9b43c325ed004c565142034564bdb4505cce80c159b1f8fd0f9d49e5f5610d509bcaf39d3ac319bf1

memory/1296-91-0x0000000002930000-0x0000000002931000-memory.dmp

memory/2904-93-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2904-94-0x0000000000C80000-0x0000000001232000-memory.dmp

memory/3832-95-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2904-97-0x0000000005D30000-0x0000000005DCC000-memory.dmp

memory/2904-98-0x0000000005B50000-0x0000000005B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K9F98.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63