Analysis Overview
SHA256
a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
Threat Level: Known bad
The file 0x0007000000014970-113.dat was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
SmokeLoader
Smokeloader family
Modifies Windows Firewall
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:14
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:14
Reported
2023-12-11 03:16
Platform
win7-20231020-en
Max time kernel
107s
Max time network
108s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A249.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1296 wrote to memory of 2744 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe |
| PID 1296 wrote to memory of 2744 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe |
| PID 1296 wrote to memory of 2744 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe |
| PID 1296 wrote to memory of 2744 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9B94.exe |
| PID 1296 wrote to memory of 1480 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A249.exe |
| PID 1296 wrote to memory of 1480 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A249.exe |
| PID 1296 wrote to memory of 1480 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A249.exe |
| PID 1296 wrote to memory of 1480 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A249.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"
C:\Users\Admin\AppData\Local\Temp\9B94.exe
C:\Users\Admin\AppData\Local\Temp\9B94.exe
C:\Users\Admin\AppData\Local\Temp\A249.exe
C:\Users\Admin\AppData\Local\Temp\A249.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\A6AD.exe
C:\Users\Admin\AppData\Local\Temp\A6AD.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp" /SL5="$50182,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211031543.log C:\Windows\Logs\CBS\CbsPersist_20231211031543.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\CAA2.exe
C:\Users\Admin\AppData\Local\Temp\CAA2.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2400-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2400-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1296-1-0x0000000002A80000-0x0000000002A96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9B94.exe
| MD5 | a3fd760aa391af380bde7d16da4dc4be |
| SHA1 | e2fa0901272acbfba9ae1b1dd7b48f5ef39cce43 |
| SHA256 | 5cb3abf6e58b6e4d138931a094051a7f4862bd98f29e45098e7d14fe555db56e |
| SHA512 | 061bad615b1f19a896415b6f98759e5267dfd20e1ec7bd0705feb2ca6dedc6294e9ab57326a64081075b11229b03fc45ef494766ddfb8fa2720ffae09dcf7245 |
memory/2744-12-0x00000000001B0000-0x00000000001EC000-memory.dmp
memory/2744-17-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2744-18-0x0000000007410000-0x0000000007450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9B94.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2744-21-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2744-22-0x0000000007410000-0x0000000007450000-memory.dmp
memory/2744-24-0x00000000743D0000-0x0000000074ABE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A249.exe
| MD5 | 5badf56160daecaf1dcc1d03ef8d60ea |
| SHA1 | 69eb0d7840437bd21321a500f3cb328b354be191 |
| SHA256 | 96b00d74f669168bbba7f4532e2520c0981d375f1659e0ddcfe436e951e20827 |
| SHA512 | d9a62a94071b6dbd1e5faa1325ecfdb6d9547e12ba6edab215273c79a3502b9146a4acda344218fbdcdd0aa475bd2b746ee573a4336e95ef303dae39bce96c03 |
C:\Users\Admin\AppData\Local\Temp\A249.exe
| MD5 | 05f857cc48e317f6317a1b1381293c2b |
| SHA1 | bedab5027be28b22e65099095408793b1f7a952e |
| SHA256 | b2c49adb852237562819f0739df3ab472ca18ea15f7959e7539c7c47c4490296 |
| SHA512 | 00e6c1390c4278c5ff119be1d2be5ac5d5512f56b587984bb8510e214b78ced48ce3a67eddc0bc565c2c6d461a0689b6b06c6892f85c27d0f66bef446926165a |
memory/1480-30-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1480-31-0x0000000000840000-0x0000000001CF6000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6c5fbaebcc2a05706ae429a2925a7ca0 |
| SHA1 | d2a266c07bb41a7961652478cbf0b61f311371db |
| SHA256 | ed558926d0555d8a71d11117c78c28dd000c9ca30c2d303db89af0fe1c9187c4 |
| SHA512 | e40bac9816ea845639d7212e7877219b0318fcb120f33ece22a3246eb39bb8fb21aa45bf9b6a8a9a4c43eee8385751b420c43f8d4de1e96a10dd0bf9b93529f0 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 2ae443108e21210d1d58cc808dac55aa |
| SHA1 | 8dedd6803177729a707783f3ffd09e61caf6326b |
| SHA256 | 21596e2b58e1374938c48575628e9f5c11510584d5782949dbfaf3fe0d4f72c7 |
| SHA512 | 710bd13cb36d129e967a4c9dde026fcfbc0ff64beaeb77c0b0dc941ca6acc324a3ede9d9d558837bbb33860f2344f77f94a5384af637e4ce073c15755893c883 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 604740180772ab6b28e974f48d6c969a |
| SHA1 | 3082a9166bf862bba736098beeab78954b6537a7 |
| SHA256 | 8535df0e2bd78136dca9c0efd521e0a908368ba957e220da81cb1d6cbfc5101c |
| SHA512 | 327c596c1c47c36a4fda8c5b122696746f20689794b055d3ccbac51da6dc625a93756a94d92e7b95540182711a1a4d8be8c37ee9ba45bfd7d3d02f726e59ffaa |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 9eecd2eb1bf3e6e32c857555fe0495ca |
| SHA1 | c30d6a9bb21ab2f8d1f254a02bf68b067fe2997d |
| SHA256 | 6a192b05a4f747f30cfaf038d1adbb80fefef2941bcc7a711b894fdc2b6426d4 |
| SHA512 | c257732423f666b48caee0dcb00a4a369d90d861940b6f27c8c4e67843ce349459994880b59e663fc3a2ed79e653191175f4470e1d93de883139bb945dbc9f8b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 860410865e4b23533c6cfb425872c9c2 |
| SHA1 | 6e51d02527f721dc0fdc83d759b505d5f94fc050 |
| SHA256 | 3f88b3dcebe7083e7999ae0966b15dc655b61b7535678c1d4d4873f4aa571107 |
| SHA512 | e956e7d52474e4782da4be8a05f7afcab490820afaa72a44a5fe0cfebaf9c46a349e69f1d529ca1690d04f06690729bf353481e7b57271113885dd9f17725dc6 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\A6AD.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5511c21dfd1c17575ebf92f937ef856a |
| SHA1 | 3c98d57e27493fee5191ada30e442cf77b1d4357 |
| SHA256 | f50eb2d072c013c56dfdf23e7aa7c624a517cffbe67eef051b8d6934e25322b2 |
| SHA512 | 3a0691c493ea94983d73063e55037afff030779ddc7297088c4f39531e5358c3826fe2201998093fab69d8cf80d67b819ea0319f228ae4247bfcd1c60f8f8787 |
memory/2128-62-0x0000000000F40000-0x0000000000F7C000-memory.dmp
memory/2128-65-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/2128-66-0x0000000007130000-0x0000000007170000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 44886728aa63c6068eab6b18cc9cf1f2 |
| SHA1 | b8d432415a6e8ec0f341d849556a966c6c8b81cc |
| SHA256 | 05c817b42eef9c238757a81d2a3684486f991e0c2b5e24943427f0459ce14edb |
| SHA512 | 5319dc71e0bf0d5f7d6a83e0634f4f9e3f801926bf20c26c3f4dd05d19906d770ae56f9848099129294ac46abf13dbe011eb53086599aaf870af8c2372f0d441 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f0c1b8505e29e5c5021d15b2cd6bf734 |
| SHA1 | 9c83a298bc43d059dc0e885399142aadca0e6070 |
| SHA256 | 57bcdf6552c957919c26083bbe49f3f5c8d67675f37122422a9ad18c87e1168c |
| SHA512 | ffc437c71eb5230e04af325f7b5085fee8a2263c987ecf48115e5905741e1c1c45fef4273de5cce0b705ce0fdad8d7d06583f69a3ca853d0d07bbf846ad818e6 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 602f54a6d53331143626652aa4fa2d55 |
| SHA1 | a5334980cb5cc09699cdb9b5b212763181d80eae |
| SHA256 | 781584ce5ddd7a8a5e7ef3d3247e1223fe7e336121d8b2044e4c392b6e450571 |
| SHA512 | c3c0c99051ac39256a901b7cb0691412a304c96fb1e28d296f8a6ab5ed7eb4565ca3f8e21d7b4b2c61e0de65d50c064c3bca7efdf73efa950c5b0366e261245a |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | fd4dca0e70344386a9feb0d10b83b071 |
| SHA1 | ef969ac052c222243e49c658f7c259a34a07c251 |
| SHA256 | cdd7906a78414c485a0b5c9bb92aae5d42b3d6fc300513fde287787fa3232e41 |
| SHA512 | 2316b796050dd63b6e2e3517796ffcb45f25257a3a72fca6d5e85c92eabae582bb880d5521f98889c9f4180fb1520a7f851ee6894da44bdc3df0221e7f90a293 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | f7c5b1ca5b4c27b733b396dadf55916b |
| SHA1 | ffed0551938dbbaf80b48e4afc0f96f6fc50818d |
| SHA256 | 20fea6677d5e7cc3d8dfc6eaf99ec6d0f7b6ac90dba5e8233c0a363b794b848c |
| SHA512 | db911cf08e950e97f9cdc41896073b76c6011c876af74e902aa454f80f7b924fa431e3b37769045bfd8af34cbbe70ed26219e287c2a668487258b948132bcab9 |
memory/1908-72-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 2291cec2b4a259f02c6da442d577303e |
| SHA1 | 5e2ec2eb93173e3012dbf80fadcab21ed80982e5 |
| SHA256 | d5b919cb321b782a48526e02c6341587fb37028736a4b575817bf4104da28ccd |
| SHA512 | b308f64051a87d742e09ec4ae3820ac1e46176d30caf4e157c3cc656534ae217b3f16a62e67e12284085cdac6dc2ed9d2acfea05d638ba74bdac9c03e53654a6 |
memory/1760-77-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | f785e62266ff3c7e1641b939d952cd06 |
| SHA1 | 51d0d03acdbd943572a0a65fb69c099f842543b3 |
| SHA256 | e0694622de3bdc640d3a181d6340f074f2895885b6456b16bfcbc50b01624a45 |
| SHA512 | 30fc0aebb5f33646447b97437fcce836b09159bb096b5d6fcefa5b34a79ba3b33910333903121a4bc2444f359e08a3ec93978eaf33d77ca6b05a0da9ae694960 |
memory/3032-79-0x00000000026E0000-0x0000000002AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 102b231494a28d21c028893e92ace503 |
| SHA1 | d1f52301a472817762a4b32d3fe5aeb1f148a998 |
| SHA256 | 8f631e7185107918122757696eb24fe263cb97157181e540d690181f64a17bca |
| SHA512 | e0586426253dcc1269df8ff6da9116f5293a4b81da2b805757e8e970ff35d5e7a696ef499c34afbb01380497c04484fa66871ccd5e5c73a96d4ab63efb67e811 |
\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp
| MD5 | ec7e51babe4df69d9b758cee8bf4264b |
| SHA1 | 473c91ebeac4cd83618f05c9dd8ea85e6afd5be9 |
| SHA256 | b65234c2aa476704b845fb7788fbed74f58919991e999c5c306a21b4b985e1ba |
| SHA512 | 31d9f8672f94e81fdf8cc6beb08a27e6db856076ec0069607083fb696d2607c47568e2bd8f814caa675087e04bc25846628e266f198bcb512b9f59ca4c01b892 |
C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp
| MD5 | ade7c14e2823339c8fcb8f17a7779c75 |
| SHA1 | 1274aac7b940d33e9bf8e382d3a6129dc0aad287 |
| SHA256 | a44626217ca755fb9012660ee145e4efa58733eb7e179549a2fbf3d64f0e4c82 |
| SHA512 | eee5fa26855805db0f1b8de870f2d385cf0ce5b4a6e290dcd73f3c303b0db54147e4ef1d297ea50fe5806e98b80cf51291803fe7be79ba07f6fb67d4c5e773ff |
\??\c:\users\admin\appdata\local\temp\is-ui76u.tmp\tuc3.tmp
| MD5 | 5fb5e1d689e3345a9da8fa0b13437e43 |
| SHA1 | 706653f6b5fb4431be3562e5a620568fc5523cc2 |
| SHA256 | be55c728007878f18a4750d9899601586cd11bfd825dac9f5d1e09c4bf5e1344 |
| SHA512 | 0704eabdffa1edd7ce86ad7dfe3a073dea26622b12616646abd1fe9bca1dfae0b6296c28dd64de38aa3d16bf6a0449e34df22f65afa0aee90d23a9ca7366efab |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 13c2987a4eeaefac56fcc73866bb3d23 |
| SHA1 | 9d62d127673b238394c92bbb9327f7e48e243309 |
| SHA256 | 056d3373f8d2224dc36fc40232a211aab14f238c875af79516f5638815642d69 |
| SHA512 | c76771dbec2f2ad6b34f14fac26178a8becc5b8215e886f568a028473c03828f923e1a21d346f559f72908fa7d192b4aff80aabe20658d79ae4a184eb1a6c4cc |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | d7538ae5b307b69b4048b020ce3674f0 |
| SHA1 | a0559bf187c973d8a1a2c3a68f2bca47cd3b2960 |
| SHA256 | 32c597bf814b647bae3c072f4949aa4d0ed8e884aa3e2d27071aa806464bc24f |
| SHA512 | 6b1c50dbe7dfa491edfe867cfdbdbbe07e9b96bb19c66a182273537771cc315c89d3ccf0f14e16ca0e0940f9c6151949428ecf443d601aed511d78ae62616df7 |
memory/828-105-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1480-104-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1176-119-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1176-118-0x00000000008E0000-0x00000000009E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 28d213679acc39cf6cead075b6dcddf1 |
| SHA1 | 5b6695080793a8366beef6437f930bb84cfb4eba |
| SHA256 | 4fe23f861e22ab898085dd2d4aaa4112a68fb69a202216e0db42519486403fbd |
| SHA512 | 4196f5809422314e051be205d91d1344ce993fa2784f2336e8edb603a964a696739e8583089701f94ef68f384bf81e08c408ecc39c50c251a96083aac7630179 |
memory/1420-124-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1420-126-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8c6a41849b7ecfd3f0a5aeb60915b2bc |
| SHA1 | bb54c820a3c033382ea3dca5b56feb106ec23d80 |
| SHA256 | 5986314e268d7eb1834ff9c8113ac03ae8ff3ec91e1a4b6c76133b48038b9918 |
| SHA512 | fc9d7e8ea75f89577287db3acc3469ed065dbe8b23345b7de9ba1d745631c829e868659999efde1affe722d04e21227fd6b3043212e41fe02069a39cb04fad61 |
memory/1420-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 916626959dc11b5ca2bc452648f51de6 |
| SHA1 | d2af64d665a3484e667ce382241e5a510870a0ce |
| SHA256 | 388d79d06b42d3077a7f40a7f2a321f05ce9933e797bb4ede320205556971339 |
| SHA512 | 1fc8c6f2c41f69274ed1c3b95855ce97cdbc7f7cd5f03212cec824f419647f920464ee5b909661907a0248c7458aba78876eb20437838f11ff9b6496a7c279db |
\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3032-127-0x00000000026E0000-0x0000000002AD8000-memory.dmp
memory/3032-128-0x0000000002AE0000-0x00000000033CB000-memory.dmp
memory/2128-130-0x00000000743A0000-0x0000000074A8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ec15a461d94f5e12fe10998ec0713431 |
| SHA1 | 0b6a787b28c819fd063dce3d2660fe3ddae42ab9 |
| SHA256 | 861d3ea0817cf5d5e7fe0f2843aed5f03fbcfd3673d050721475ce2a7ee16269 |
| SHA512 | 8c088b9b1bde428bce04ed58069ec603a425a3e8e18802fd2341de14e3acb809e6f753f0912a2cedaf01f0ee9163aa1cd6ab4a3920501c9b6587fa5b24beb2ac |
memory/3032-131-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 002b03920647429bbae6928517a93fb4 |
| SHA1 | 59b528b0701063713ec585a483b354845b9046e5 |
| SHA256 | 0838fb460860a6dbe7fb17f6936b9cfc3bea737105d81bbb232737c7fe25228f |
| SHA512 | a221c0bb42d4045f36cbb3e1e66ea44c3bd551c33eb629ec53adbb8abfa6f97c3288ab468664a3337ed0fe8b8d0eaa5fa3f5f6e35a92497576b1920bee7c96b2 |
memory/3032-133-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2372-134-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/3032-135-0x00000000026E0000-0x0000000002AD8000-memory.dmp
memory/3032-136-0x0000000002AE0000-0x00000000033CB000-memory.dmp
memory/1296-137-0x0000000002C10000-0x0000000002C26000-memory.dmp
memory/1420-138-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CAA2.exe
| MD5 | 7743062160aa387c9551af78cfa658b9 |
| SHA1 | 413127b33ee9e992cd80c1cc66f3cb77a18e8ab0 |
| SHA256 | c397a7d219cb710c4deaeab5c96b118f7bcf617121d254f7221ca036225ab374 |
| SHA512 | ee7a97914520fa15eb11db799530c2b5b6ea5346611067dafe53034e53e1ab466e1e5015c3c897b781ab9ef1ff884974b28b3cef46a62c93b7172c97bb87b197 |
memory/2128-147-0x0000000007130000-0x0000000007170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CAA2.exe
| MD5 | 2bc30d9cc13a708378b2b4662d5a154b |
| SHA1 | 144981aa10affdcd499566e47cf96baee88b5645 |
| SHA256 | 612181165db55384a2a80efabb49bb651b4e61958c5fbb496571d95ccafd239f |
| SHA512 | 0a3710defb646ade62847eeec47bf37ccaf3ac3afe251ec1f5b09f1477631f0019a3e3fe8f281f7692aec01ed6253593d956a2c9895c9a9e6d68ec77653c498e |
memory/2448-148-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/2372-151-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/1908-152-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2372-150-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1760-153-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2448-154-0x00000000052B0000-0x00000000052F0000-memory.dmp
memory/2448-149-0x0000000000240000-0x00000000007F2000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 71db53cb1f36bb8409addea1290a1792 |
| SHA1 | 1145aa2d98ad8e1c6290ec2d2a99540aa9a7c6b5 |
| SHA256 | b2145e8e55bf6b967805dd69342fb62f020aaca0b36c311bb9b89a621afcef26 |
| SHA512 | 7d6bc97ff0579b0c4441945a1173deda187edd57d1f43efa75019226900d8fd3fbc1170a7b7064cecabbb33af562dbf774b67764455b493d2336849b02cc2f8a |
memory/2372-174-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | fddf223b586eb884dff64e6bd8c6c878 |
| SHA1 | 284e12de869a4fd257ea3c11baa573e4282e3c76 |
| SHA256 | 627359fec267b51b913cb4410dd662bc757961c650168190c107b704d510a4a9 |
| SHA512 | f601b3e306f57a92a71a41c2801634cffa96ceaa991c89831f2cec8f39c40f71e4e42fd0a1622ff8dbb0cb3d0a221acf5dbdcbfc765ffd35ca93d32933b2975b |
\Windows\rss\csrss.exe
| MD5 | e754d39ddbb59be388543944b7433bac |
| SHA1 | c66241260052a4697ad95b6c6c3d5caecae0cda2 |
| SHA256 | b301d72bba8779189690709edd2a438ac2a6622db16ebfb4b326d63148333824 |
| SHA512 | 44d4d0877e6174b1df16cd2080e49b224a9827259841111fcef3c636e71d48f0ed0333a0de130f0269d28d4222b9581d7b9593e294b4d951df3791fbafd7f096 |
memory/1908-175-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1784-178-0x000000013FF10000-0x00000001404B1000-memory.dmp
memory/2900-180-0x00000000025C0000-0x00000000029B8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:14
Reported
2023-12-11 03:16
Platform
win10v2004-20231127-en
Max time kernel
81s
Max time network
94s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1807.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1807.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3272 wrote to memory of 2940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1807.exe |
| PID 3272 wrote to memory of 2940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1807.exe |
| PID 3272 wrote to memory of 2940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1807.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"
C:\Users\Admin\AppData\Local\Temp\1807.exe
C:\Users\Admin\AppData\Local\Temp\1807.exe
C:\Users\Admin\AppData\Local\Temp\E069.exe
C:\Users\Admin\AppData\Local\Temp\E069.exe
C:\Users\Admin\AppData\Local\Temp\E2EB.exe
C:\Users\Admin\AppData\Local\Temp\E2EB.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp" /SL5="$501F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Users\Admin\AppData\Local\Temp\F27C.exe
C:\Users\Admin\AppData\Local\Temp\F27C.exe
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/1572-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3272-1-0x0000000002500000-0x0000000002516000-memory.dmp
memory/1572-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1807.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2940-12-0x0000000003020000-0x000000000305C000-memory.dmp
memory/2940-17-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/2940-18-0x0000000008550000-0x0000000008AF4000-memory.dmp
memory/2940-19-0x0000000008040000-0x00000000080D2000-memory.dmp
memory/2940-20-0x0000000008270000-0x0000000008280000-memory.dmp
memory/2940-21-0x0000000008020000-0x000000000802A000-memory.dmp
memory/2940-22-0x0000000009660000-0x0000000009C78000-memory.dmp
memory/2940-24-0x000000000AFF0000-0x000000000B0FA000-memory.dmp
memory/2940-25-0x000000000AEE0000-0x000000000AEF2000-memory.dmp
memory/2940-26-0x000000000AF40000-0x000000000AF7C000-memory.dmp
memory/2940-27-0x000000000AF80000-0x000000000AFCC000-memory.dmp
memory/2940-28-0x000000000BC10000-0x000000000BC76000-memory.dmp
memory/2940-29-0x0000000008270000-0x0000000008280000-memory.dmp
memory/2940-30-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/2940-31-0x0000000008270000-0x0000000008280000-memory.dmp
memory/2940-32-0x0000000008E00000-0x0000000008E50000-memory.dmp
memory/2940-33-0x000000000B150000-0x000000000B312000-memory.dmp
memory/2940-34-0x000000000C040000-0x000000000C56C000-memory.dmp
memory/2940-37-0x0000000075130000-0x00000000758E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E069.exe
| MD5 | 6c993484f6d45bfd9d0e7fd8481e1e0e |
| SHA1 | 1af1afaa4c518f8e856ab5d0ce756da838c013d7 |
| SHA256 | f86094034e417dad951bb7145ed5cd20bfb2d3b02009557ccaaab7425401a126 |
| SHA512 | e26ca2b44493d01309bc1078849e7de4f44e9134e79ea411b7349b9eff192c7f3e096a2e1e4b238f4277b6f1804b9e6cf85ec0a06a5cc226dc655baac02edb3b |
C:\Users\Admin\AppData\Local\Temp\E069.exe
| MD5 | 58bd3d124dbafffb7ff24ef86159f969 |
| SHA1 | eac7bf63c63e6b369012fa550ee2aad88e679276 |
| SHA256 | c961cac47927c87b96b84877da9edac5612ed53daef01e3d8a9feca2bfbdd09d |
| SHA512 | 46d7046a95b3a45d2b1f7e0bc682198d1867fc4308dd002e3d89c6c9815db0b68e1e5c7d364b55e07ba0f3cbf39fc065b53ca61ea84348b35ad4f6f210bbb4d1 |
memory/2236-42-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/2236-43-0x0000000000FE0000-0x0000000002496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E2EB.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/4216-49-0x0000000000FC0000-0x0000000000FFC000-memory.dmp
memory/4216-50-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/4216-51-0x0000000007F80000-0x0000000007F90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 3d206fc22c02d16f536621fc9c80c465 |
| SHA1 | 2ede51aee2ca72d825e39b945a3b575e0dafbb77 |
| SHA256 | 4fe016dcc4c5cc69bbbf05eea5428c8cddfa598250b5472db61daebcdea05e07 |
| SHA512 | cd2a7f275684de8c862542dfc81158bb25ddb6cb7feb3dc147ede44738767db54c1e6bf7a4c4e83275b9f2046afa26af119b96aaf2893f8d2e0858776e2ff100 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | baa2da75e0d013177899f3e5b9cf385b |
| SHA1 | 0a10ff5f18e1f9b0da042c1c4e8492a6e3786c2c |
| SHA256 | b2611ffcb49fc617ba80771232f061fcb9161b41f4a43cd7bf1e5f6d6551293b |
| SHA512 | 35eaa9f70877831780dcfb696e927dadfc18068102e3ab5ba19b8dfb553f081a4b82ef95f4618792cf7e9d09207fb281ebbff38ff87b184079fd0547d567bd8e |
memory/4216-61-0x0000000008100000-0x000000000814C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 530ad889cd20252d186ccff2e2e879d3 |
| SHA1 | 362e59be2a71629214d59976f7276ad8ccef52fb |
| SHA256 | 66ba6152edae3b984f7d6f489e6ac38e8f7e84952db7bbe904dbe9adf07f8281 |
| SHA512 | 90e9027cca9b9060be1a65f3681173c4cf30b19c66fe3be061eb3bc931c0a4ea6389cc308b38a33e888795bf19239bc031487c5a839d8c218358faa5afd1a834 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8de8917e309208915990a95180c47ae0 |
| SHA1 | 906a5eaf56a2e15511bd99a17245d47c47368ed5 |
| SHA256 | 55bd32d4f7e9d331008c607d2fb618590630d9b6cc79d180cd7ace4cc8834bdd |
| SHA512 | be4764da1a8123bb3f3d4e9793d044f5a3e8699df159a535f1ae82ecb89c4ef3e3f63a8c1cdd32661f4158ca439089bb5111b86e8631ac52be373064e462c475 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 65b02fa69ab9d24b4dcc9c5140a37a5f |
| SHA1 | ca435e858dabc37d820e9f60212ec9f0fd20f54f |
| SHA256 | 3a5d6b36be69175977fa2613a74ffa9a2eb4c9520e15a28be70aa5c801307ef1 |
| SHA512 | 41e329b65e9b00f9ce8ff25fef26db83d962ccb93220987ba4aaaa377862ac6f0dec13d274e7f4797257c5920c1f275b7bdec4fcf2290d0093d8d784fe7d7388 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 702222f0bed54a930463e50f1e9cb8ee |
| SHA1 | aaff4dd1acb5106062a6d67a5f5d07490dfdc1d5 |
| SHA256 | 17986e57c6b160834b0d844781bcce59b0173e55455717f9f7d233d99d707b5d |
| SHA512 | 81d93cff9a55ddc71a9b3819741a078e8c6e53eab771c7f2bab250ed3f069cc4142b741c512a7430ba64ef89dfc4ef77769e9dd2a4eedc89bdfc52b13f911f73 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | ce0c881dde669a80ce0960f90389a061 |
| SHA1 | da8834104ea05326300abb6dcef95729e8ef5a68 |
| SHA256 | d0ed07e17acad95e07ac7f8e3a6b03fed82e682c25772e82fec837ec0993a2f9 |
| SHA512 | e98950620b922cdfcf25c4fbee22dffdcb6e51700573c3707d9b1b01fc256add11477312062dcbda65d80b74f7fc54f16307890cf894679ca21c7071fcc5012f |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 4143a3040f0296f56986d1d2db61e0a3 |
| SHA1 | c43f1398b35656d090feb1211439e990a4546048 |
| SHA256 | 37fa015655fec8c85f36f52e805d3706b873514258fe9ccdcd63014aeee99209 |
| SHA512 | bc57d43581d630b5c301592f3fe6a659764f45289b766db7d17d64f12d1ef08aa5139dd079068c2925c88308fe926a3972dfd17834d78cd382066a7c0db5c1f3 |
memory/4624-94-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 6de69fc3a9c9a4c412f36d9f36050e8e |
| SHA1 | ecfd2278db738b0ade1420ff39c551026482f229 |
| SHA256 | d3f9309eb142bfd633097bff7abc1b93db3c33b3ca1d210a1e51ed259264eed4 |
| SHA512 | 1164a43ae88703ab788d7f8d69197234b103d237e4ca84acce06ff381012c14524e5e379f5eac79bd726ab0a8d9515923d63366fbc3da9e863ecbf0424a7eb2b |
memory/2948-96-0x0000000002830000-0x0000000002831000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e77422fac1e9d2d11cf7f1c1d57071a4 |
| SHA1 | 53e63414263dc20ea044c6cbb4fb4fc2c2be6140 |
| SHA256 | 9d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320 |
| SHA512 | d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53 |
C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp
| MD5 | dcc391f875f163582ad987b1d81af38b |
| SHA1 | e6d99f84192c8208a21b6465f11b8dc04041430d |
| SHA256 | 0ef8b30c7f7f46da3e3d4181a01db4998087e568adcc835968b478a6f985a84a |
| SHA512 | fa9af6c3d8e3fbafe1525a3b0f3dec86211b126a6c0e0cecb25395a03c6c78c2d4cf30e8a22ba32175862ed5eb0bb14f01ec933e5756ccd9d2d1e154bff279fa |
C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp
| MD5 | 3659aa7fd0429bf23260edd5c7fc4cfe |
| SHA1 | 6f37c3b49d27930c9cb8820da0f2c80e5a08d45f |
| SHA256 | ae2c2f3929715ea631ff82a0f303f4fbfe1ea3a8d18516fa52feccbaba81d080 |
| SHA512 | 845993dfe019cfc89c40f77540c757ee89b070dec5a268ee8be56e1b329b257a924cdccf688fd9dc719929be185443f772d5f0b24aea0bbaf876525b544c481a |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | ceb7b6de2781f90b51641fbd89e0d387 |
| SHA1 | 099c9efc0ea74089da601c1f8d7fb260e296c9d9 |
| SHA256 | 1bbdc276dfcd8768bfc8659887d307a41d8bd73f76b2ce671257bd4d6e9373d3 |
| SHA512 | b2b1528236734421ef589014e78e0d10e5c295f9058ddfa5fe83b82afe219402f3e099feb212098773c7cd3b5f9b66861065d064ffff191fc6b5b5dc4a404210 |
memory/548-125-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KJPQS.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-KJPQS.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/2236-124-0x0000000075130000-0x00000000758E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 54eb949c88b8f80abe56663f76ff83ec |
| SHA1 | b81d4a43d7ca071862979770b04b4c9164247d92 |
| SHA256 | 09f0c100b01c4b4ea7c8ad2bca7e639c0555985139e509b821b5d56c6969f4e4 |
| SHA512 | db723ed74024d76a8b70682d56b11c56b68e964edabb033754ee1ec69f81675210e6a1621d1c84277cdca290f89d4dd692ed30fa078c5d9f06c41bfa2fc4f4d6 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | b365d5a9f52f871044f61011e496cbdf |
| SHA1 | 13a248939be980d240b20e8ef72334b2eb749d47 |
| SHA256 | a94b2bc157dcf54099ff1a80dcc49fc2433fcd48a6048ead44efb177576666b8 |
| SHA512 | 3f1869957fb7ac9f4278ac160518bad244bf634309c1b0f649f3ea89939931f5924e72b6d2cd9075a158ac135226020e11352743c73096324ddea0b6e769aa17 |
memory/316-254-0x0000000000400000-0x0000000000785000-memory.dmp
memory/316-256-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | dc03cfc87ab203f5d439f65962d95e92 |
| SHA1 | 2afc0b770115492339137a987b8bbb31c9909aa1 |
| SHA256 | 7c4fa22ed82dae8c25c0fe27ddc4ba39e105a59a962c5b2d1b9e707370de2c5b |
| SHA512 | 0e892499f62548eae2b8365c319151c8823296e2766a2b994388a95d7a1ad691ecd5ae4093fb2faa316d08d2aa60fdd3c6328a9e11f925bb38c0ab102dfa65cb |
C:\Users\Admin\AppData\Local\Temp\F27C.exe
| MD5 | cc2501300d41433559a6ea42baaaa87e |
| SHA1 | 3e951489fc2e1ba11d60f8c8af124ab636a0a30a |
| SHA256 | 08ba2abb8c863ce1629d574856f1f341c0eb8119bda8f0c39c35e4c56b359fe9 |
| SHA512 | aa2dd3eb7e8e6e1643a8ebbb59cc738b137edb40ab31f78083c233d0d138f36366ac5c420d523cfa2f811283555881698386e3f74bb24326cce1812c7ad1bf84 |
C:\Users\Admin\AppData\Local\Temp\F27C.exe
| MD5 | 9e0b9926679b39e34f46a97d82577dd2 |
| SHA1 | 5f3ad2343f98b97e4ca4ec0874cb8f9acbc4ba31 |
| SHA256 | dd47b5969e98735684e44c07bdfb3366162ba141e2e4cd5524ef41fc2c980c06 |
| SHA512 | 85510cd4de855e8c1b19ac25ca67c09fca955c9fa0bec592e7e9e09c91c1d752bdf4e60491d44ca8ac40382b2897ea816d8f959f8cea707ef0fb4fc2bf776ae5 |
memory/316-261-0x0000000000400000-0x0000000000785000-memory.dmp
memory/1384-264-0x0000000000730000-0x0000000000CE2000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 21f912f210419128e7c04c04f9de7920 |
| SHA1 | 6cc2d8bfbed4fc297c68e6925b378663d1a2f48c |
| SHA256 | a0811f0bac71bbc9205110757b302a9b4d829df3b673f2b1ec9c5e4b7e1095a6 |
| SHA512 | 273bdbcc519f35de7fc8834caa8ed755beb5b9042a42f8451e588d092f440e5a4ee94474dc188e17b44d02f696faa0005f2d19b52458e94f5bbb23549d2c468f |
memory/1384-263-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/4216-267-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/4596-268-0x0000000000400000-0x0000000000785000-memory.dmp
memory/1384-270-0x0000000005810000-0x00000000058AC000-memory.dmp
memory/1384-271-0x0000000006210000-0x0000000006220000-memory.dmp