Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-drah6acgg4
Target 0x0007000000014970-113.dat
SHA256 a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
Tags
smokeloader redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb

Threat Level: Known bad

The file 0x0007000000014970-113.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer spyware stealer trojan

RedLine payload

RedLine

SmokeLoader

Smokeloader family

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:14

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:14

Reported

2023-12-11 03:16

Platform

win7-20231020-en

Max time kernel

107s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A249.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe
PID 1296 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe
PID 1296 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe
PID 1296 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B94.exe
PID 1296 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\A249.exe
PID 1296 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\A249.exe
PID 1296 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\A249.exe
PID 1296 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\A249.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

C:\Users\Admin\AppData\Local\Temp\9B94.exe

C:\Users\Admin\AppData\Local\Temp\9B94.exe

C:\Users\Admin\AppData\Local\Temp\A249.exe

C:\Users\Admin\AppData\Local\Temp\A249.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\A6AD.exe

C:\Users\Admin\AppData\Local\Temp\A6AD.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp" /SL5="$50182,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211031543.log C:\Windows\Logs\CBS\CbsPersist_20231211031543.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\CAA2.exe

C:\Users\Admin\AppData\Local\Temp\CAA2.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2400-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2400-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1296-1-0x0000000002A80000-0x0000000002A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B94.exe

MD5 a3fd760aa391af380bde7d16da4dc4be
SHA1 e2fa0901272acbfba9ae1b1dd7b48f5ef39cce43
SHA256 5cb3abf6e58b6e4d138931a094051a7f4862bd98f29e45098e7d14fe555db56e
SHA512 061bad615b1f19a896415b6f98759e5267dfd20e1ec7bd0705feb2ca6dedc6294e9ab57326a64081075b11229b03fc45ef494766ddfb8fa2720ffae09dcf7245

memory/2744-12-0x00000000001B0000-0x00000000001EC000-memory.dmp

memory/2744-17-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/2744-18-0x0000000007410000-0x0000000007450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B94.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2744-21-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/2744-22-0x0000000007410000-0x0000000007450000-memory.dmp

memory/2744-24-0x00000000743D0000-0x0000000074ABE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A249.exe

MD5 5badf56160daecaf1dcc1d03ef8d60ea
SHA1 69eb0d7840437bd21321a500f3cb328b354be191
SHA256 96b00d74f669168bbba7f4532e2520c0981d375f1659e0ddcfe436e951e20827
SHA512 d9a62a94071b6dbd1e5faa1325ecfdb6d9547e12ba6edab215273c79a3502b9146a4acda344218fbdcdd0aa475bd2b746ee573a4336e95ef303dae39bce96c03

C:\Users\Admin\AppData\Local\Temp\A249.exe

MD5 05f857cc48e317f6317a1b1381293c2b
SHA1 bedab5027be28b22e65099095408793b1f7a952e
SHA256 b2c49adb852237562819f0739df3ab472ca18ea15f7959e7539c7c47c4490296
SHA512 00e6c1390c4278c5ff119be1d2be5ac5d5512f56b587984bb8510e214b78ced48ce3a67eddc0bc565c2c6d461a0689b6b06c6892f85c27d0f66bef446926165a

memory/1480-30-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1480-31-0x0000000000840000-0x0000000001CF6000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6c5fbaebcc2a05706ae429a2925a7ca0
SHA1 d2a266c07bb41a7961652478cbf0b61f311371db
SHA256 ed558926d0555d8a71d11117c78c28dd000c9ca30c2d303db89af0fe1c9187c4
SHA512 e40bac9816ea845639d7212e7877219b0318fcb120f33ece22a3246eb39bb8fb21aa45bf9b6a8a9a4c43eee8385751b420c43f8d4de1e96a10dd0bf9b93529f0

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 2ae443108e21210d1d58cc808dac55aa
SHA1 8dedd6803177729a707783f3ffd09e61caf6326b
SHA256 21596e2b58e1374938c48575628e9f5c11510584d5782949dbfaf3fe0d4f72c7
SHA512 710bd13cb36d129e967a4c9dde026fcfbc0ff64beaeb77c0b0dc941ca6acc324a3ede9d9d558837bbb33860f2344f77f94a5384af637e4ce073c15755893c883

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 604740180772ab6b28e974f48d6c969a
SHA1 3082a9166bf862bba736098beeab78954b6537a7
SHA256 8535df0e2bd78136dca9c0efd521e0a908368ba957e220da81cb1d6cbfc5101c
SHA512 327c596c1c47c36a4fda8c5b122696746f20689794b055d3ccbac51da6dc625a93756a94d92e7b95540182711a1a4d8be8c37ee9ba45bfd7d3d02f726e59ffaa

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 9eecd2eb1bf3e6e32c857555fe0495ca
SHA1 c30d6a9bb21ab2f8d1f254a02bf68b067fe2997d
SHA256 6a192b05a4f747f30cfaf038d1adbb80fefef2941bcc7a711b894fdc2b6426d4
SHA512 c257732423f666b48caee0dcb00a4a369d90d861940b6f27c8c4e67843ce349459994880b59e663fc3a2ed79e653191175f4470e1d93de883139bb945dbc9f8b

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 860410865e4b23533c6cfb425872c9c2
SHA1 6e51d02527f721dc0fdc83d759b505d5f94fc050
SHA256 3f88b3dcebe7083e7999ae0966b15dc655b61b7535678c1d4d4873f4aa571107
SHA512 e956e7d52474e4782da4be8a05f7afcab490820afaa72a44a5fe0cfebaf9c46a349e69f1d529ca1690d04f06690729bf353481e7b57271113885dd9f17725dc6

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\A6AD.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5511c21dfd1c17575ebf92f937ef856a
SHA1 3c98d57e27493fee5191ada30e442cf77b1d4357
SHA256 f50eb2d072c013c56dfdf23e7aa7c624a517cffbe67eef051b8d6934e25322b2
SHA512 3a0691c493ea94983d73063e55037afff030779ddc7297088c4f39531e5358c3826fe2201998093fab69d8cf80d67b819ea0319f228ae4247bfcd1c60f8f8787

memory/2128-62-0x0000000000F40000-0x0000000000F7C000-memory.dmp

memory/2128-65-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2128-66-0x0000000007130000-0x0000000007170000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 44886728aa63c6068eab6b18cc9cf1f2
SHA1 b8d432415a6e8ec0f341d849556a966c6c8b81cc
SHA256 05c817b42eef9c238757a81d2a3684486f991e0c2b5e24943427f0459ce14edb
SHA512 5319dc71e0bf0d5f7d6a83e0634f4f9e3f801926bf20c26c3f4dd05d19906d770ae56f9848099129294ac46abf13dbe011eb53086599aaf870af8c2372f0d441

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f0c1b8505e29e5c5021d15b2cd6bf734
SHA1 9c83a298bc43d059dc0e885399142aadca0e6070
SHA256 57bcdf6552c957919c26083bbe49f3f5c8d67675f37122422a9ad18c87e1168c
SHA512 ffc437c71eb5230e04af325f7b5085fee8a2263c987ecf48115e5905741e1c1c45fef4273de5cce0b705ce0fdad8d7d06583f69a3ca853d0d07bbf846ad818e6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 602f54a6d53331143626652aa4fa2d55
SHA1 a5334980cb5cc09699cdb9b5b212763181d80eae
SHA256 781584ce5ddd7a8a5e7ef3d3247e1223fe7e336121d8b2044e4c392b6e450571
SHA512 c3c0c99051ac39256a901b7cb0691412a304c96fb1e28d296f8a6ab5ed7eb4565ca3f8e21d7b4b2c61e0de65d50c064c3bca7efdf73efa950c5b0366e261245a

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 fd4dca0e70344386a9feb0d10b83b071
SHA1 ef969ac052c222243e49c658f7c259a34a07c251
SHA256 cdd7906a78414c485a0b5c9bb92aae5d42b3d6fc300513fde287787fa3232e41
SHA512 2316b796050dd63b6e2e3517796ffcb45f25257a3a72fca6d5e85c92eabae582bb880d5521f98889c9f4180fb1520a7f851ee6894da44bdc3df0221e7f90a293

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 f7c5b1ca5b4c27b733b396dadf55916b
SHA1 ffed0551938dbbaf80b48e4afc0f96f6fc50818d
SHA256 20fea6677d5e7cc3d8dfc6eaf99ec6d0f7b6ac90dba5e8233c0a363b794b848c
SHA512 db911cf08e950e97f9cdc41896073b76c6011c876af74e902aa454f80f7b924fa431e3b37769045bfd8af34cbbe70ed26219e287c2a668487258b948132bcab9

memory/1908-72-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 2291cec2b4a259f02c6da442d577303e
SHA1 5e2ec2eb93173e3012dbf80fadcab21ed80982e5
SHA256 d5b919cb321b782a48526e02c6341587fb37028736a4b575817bf4104da28ccd
SHA512 b308f64051a87d742e09ec4ae3820ac1e46176d30caf4e157c3cc656534ae217b3f16a62e67e12284085cdac6dc2ed9d2acfea05d638ba74bdac9c03e53654a6

memory/1760-77-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f785e62266ff3c7e1641b939d952cd06
SHA1 51d0d03acdbd943572a0a65fb69c099f842543b3
SHA256 e0694622de3bdc640d3a181d6340f074f2895885b6456b16bfcbc50b01624a45
SHA512 30fc0aebb5f33646447b97437fcce836b09159bb096b5d6fcefa5b34a79ba3b33910333903121a4bc2444f359e08a3ec93978eaf33d77ca6b05a0da9ae694960

memory/3032-79-0x00000000026E0000-0x0000000002AD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 102b231494a28d21c028893e92ace503
SHA1 d1f52301a472817762a4b32d3fe5aeb1f148a998
SHA256 8f631e7185107918122757696eb24fe263cb97157181e540d690181f64a17bca
SHA512 e0586426253dcc1269df8ff6da9116f5293a4b81da2b805757e8e970ff35d5e7a696ef499c34afbb01380497c04484fa66871ccd5e5c73a96d4ab63efb67e811

\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp

MD5 ec7e51babe4df69d9b758cee8bf4264b
SHA1 473c91ebeac4cd83618f05c9dd8ea85e6afd5be9
SHA256 b65234c2aa476704b845fb7788fbed74f58919991e999c5c306a21b4b985e1ba
SHA512 31d9f8672f94e81fdf8cc6beb08a27e6db856076ec0069607083fb696d2607c47568e2bd8f814caa675087e04bc25846628e266f198bcb512b9f59ca4c01b892

C:\Users\Admin\AppData\Local\Temp\is-UI76U.tmp\tuc3.tmp

MD5 ade7c14e2823339c8fcb8f17a7779c75
SHA1 1274aac7b940d33e9bf8e382d3a6129dc0aad287
SHA256 a44626217ca755fb9012660ee145e4efa58733eb7e179549a2fbf3d64f0e4c82
SHA512 eee5fa26855805db0f1b8de870f2d385cf0ce5b4a6e290dcd73f3c303b0db54147e4ef1d297ea50fe5806e98b80cf51291803fe7be79ba07f6fb67d4c5e773ff

\??\c:\users\admin\appdata\local\temp\is-ui76u.tmp\tuc3.tmp

MD5 5fb5e1d689e3345a9da8fa0b13437e43
SHA1 706653f6b5fb4431be3562e5a620568fc5523cc2
SHA256 be55c728007878f18a4750d9899601586cd11bfd825dac9f5d1e09c4bf5e1344
SHA512 0704eabdffa1edd7ce86ad7dfe3a073dea26622b12616646abd1fe9bca1dfae0b6296c28dd64de38aa3d16bf6a0449e34df22f65afa0aee90d23a9ca7366efab

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 13c2987a4eeaefac56fcc73866bb3d23
SHA1 9d62d127673b238394c92bbb9327f7e48e243309
SHA256 056d3373f8d2224dc36fc40232a211aab14f238c875af79516f5638815642d69
SHA512 c76771dbec2f2ad6b34f14fac26178a8becc5b8215e886f568a028473c03828f923e1a21d346f559f72908fa7d192b4aff80aabe20658d79ae4a184eb1a6c4cc

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 d7538ae5b307b69b4048b020ce3674f0
SHA1 a0559bf187c973d8a1a2c3a68f2bca47cd3b2960
SHA256 32c597bf814b647bae3c072f4949aa4d0ed8e884aa3e2d27071aa806464bc24f
SHA512 6b1c50dbe7dfa491edfe867cfdbdbbe07e9b96bb19c66a182273537771cc315c89d3ccf0f14e16ca0e0940f9c6151949428ecf443d601aed511d78ae62616df7

memory/828-105-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1480-104-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1176-119-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1176-118-0x00000000008E0000-0x00000000009E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 28d213679acc39cf6cead075b6dcddf1
SHA1 5b6695080793a8366beef6437f930bb84cfb4eba
SHA256 4fe23f861e22ab898085dd2d4aaa4112a68fb69a202216e0db42519486403fbd
SHA512 4196f5809422314e051be205d91d1344ce993fa2784f2336e8edb603a964a696739e8583089701f94ef68f384bf81e08c408ecc39c50c251a96083aac7630179

memory/1420-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1420-126-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8c6a41849b7ecfd3f0a5aeb60915b2bc
SHA1 bb54c820a3c033382ea3dca5b56feb106ec23d80
SHA256 5986314e268d7eb1834ff9c8113ac03ae8ff3ec91e1a4b6c76133b48038b9918
SHA512 fc9d7e8ea75f89577287db3acc3469ed065dbe8b23345b7de9ba1d745631c829e868659999efde1affe722d04e21227fd6b3043212e41fe02069a39cb04fad61

memory/1420-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 916626959dc11b5ca2bc452648f51de6
SHA1 d2af64d665a3484e667ce382241e5a510870a0ce
SHA256 388d79d06b42d3077a7f40a7f2a321f05ce9933e797bb4ede320205556971339
SHA512 1fc8c6f2c41f69274ed1c3b95855ce97cdbc7f7cd5f03212cec824f419647f920464ee5b909661907a0248c7458aba78876eb20437838f11ff9b6496a7c279db

\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-8R8PM.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3032-127-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/3032-128-0x0000000002AE0000-0x00000000033CB000-memory.dmp

memory/2128-130-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ec15a461d94f5e12fe10998ec0713431
SHA1 0b6a787b28c819fd063dce3d2660fe3ddae42ab9
SHA256 861d3ea0817cf5d5e7fe0f2843aed5f03fbcfd3673d050721475ce2a7ee16269
SHA512 8c088b9b1bde428bce04ed58069ec603a425a3e8e18802fd2341de14e3acb809e6f753f0912a2cedaf01f0ee9163aa1cd6ab4a3920501c9b6587fa5b24beb2ac

memory/3032-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 002b03920647429bbae6928517a93fb4
SHA1 59b528b0701063713ec585a483b354845b9046e5
SHA256 0838fb460860a6dbe7fb17f6936b9cfc3bea737105d81bbb232737c7fe25228f
SHA512 a221c0bb42d4045f36cbb3e1e66ea44c3bd551c33eb629ec53adbb8abfa6f97c3288ab468664a3337ed0fe8b8d0eaa5fa3f5f6e35a92497576b1920bee7c96b2

memory/3032-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2372-134-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/3032-135-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/3032-136-0x0000000002AE0000-0x00000000033CB000-memory.dmp

memory/1296-137-0x0000000002C10000-0x0000000002C26000-memory.dmp

memory/1420-138-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAA2.exe

MD5 7743062160aa387c9551af78cfa658b9
SHA1 413127b33ee9e992cd80c1cc66f3cb77a18e8ab0
SHA256 c397a7d219cb710c4deaeab5c96b118f7bcf617121d254f7221ca036225ab374
SHA512 ee7a97914520fa15eb11db799530c2b5b6ea5346611067dafe53034e53e1ab466e1e5015c3c897b781ab9ef1ff884974b28b3cef46a62c93b7172c97bb87b197

memory/2128-147-0x0000000007130000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAA2.exe

MD5 2bc30d9cc13a708378b2b4662d5a154b
SHA1 144981aa10affdcd499566e47cf96baee88b5645
SHA256 612181165db55384a2a80efabb49bb651b4e61958c5fbb496571d95ccafd239f
SHA512 0a3710defb646ade62847eeec47bf37ccaf3ac3afe251ec1f5b09f1477631f0019a3e3fe8f281f7692aec01ed6253593d956a2c9895c9a9e6d68ec77653c498e

memory/2448-148-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2372-151-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/1908-152-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2372-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1760-153-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2448-154-0x00000000052B0000-0x00000000052F0000-memory.dmp

memory/2448-149-0x0000000000240000-0x00000000007F2000-memory.dmp

\Windows\rss\csrss.exe

MD5 71db53cb1f36bb8409addea1290a1792
SHA1 1145aa2d98ad8e1c6290ec2d2a99540aa9a7c6b5
SHA256 b2145e8e55bf6b967805dd69342fb62f020aaca0b36c311bb9b89a621afcef26
SHA512 7d6bc97ff0579b0c4441945a1173deda187edd57d1f43efa75019226900d8fd3fbc1170a7b7064cecabbb33af562dbf774b67764455b493d2336849b02cc2f8a

memory/2372-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fddf223b586eb884dff64e6bd8c6c878
SHA1 284e12de869a4fd257ea3c11baa573e4282e3c76
SHA256 627359fec267b51b913cb4410dd662bc757961c650168190c107b704d510a4a9
SHA512 f601b3e306f57a92a71a41c2801634cffa96ceaa991c89831f2cec8f39c40f71e4e42fd0a1622ff8dbb0cb3d0a221acf5dbdcbfc765ffd35ca93d32933b2975b

\Windows\rss\csrss.exe

MD5 e754d39ddbb59be388543944b7433bac
SHA1 c66241260052a4697ad95b6c6c3d5caecae0cda2
SHA256 b301d72bba8779189690709edd2a438ac2a6622db16ebfb4b326d63148333824
SHA512 44d4d0877e6174b1df16cd2080e49b224a9827259841111fcef3c636e71d48f0ed0333a0de130f0269d28d4222b9581d7b9593e294b4d951df3791fbafd7f096

memory/1908-175-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1784-178-0x000000013FF10000-0x00000001404B1000-memory.dmp

memory/2900-180-0x00000000025C0000-0x00000000029B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:14

Reported

2023-12-11 03:16

Platform

win10v2004-20231127-en

Max time kernel

81s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1807.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1807.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1807.exe
PID 3272 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1807.exe
PID 3272 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\Temp\1807.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

C:\Users\Admin\AppData\Local\Temp\1807.exe

C:\Users\Admin\AppData\Local\Temp\1807.exe

C:\Users\Admin\AppData\Local\Temp\E069.exe

C:\Users\Admin\AppData\Local\Temp\E069.exe

C:\Users\Admin\AppData\Local\Temp\E2EB.exe

C:\Users\Admin\AppData\Local\Temp\E2EB.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp" /SL5="$501F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Users\Admin\AppData\Local\Temp\F27C.exe

C:\Users\Admin\AppData\Local\Temp\F27C.exe

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1572-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3272-1-0x0000000002500000-0x0000000002516000-memory.dmp

memory/1572-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1807.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2940-12-0x0000000003020000-0x000000000305C000-memory.dmp

memory/2940-17-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2940-18-0x0000000008550000-0x0000000008AF4000-memory.dmp

memory/2940-19-0x0000000008040000-0x00000000080D2000-memory.dmp

memory/2940-20-0x0000000008270000-0x0000000008280000-memory.dmp

memory/2940-21-0x0000000008020000-0x000000000802A000-memory.dmp

memory/2940-22-0x0000000009660000-0x0000000009C78000-memory.dmp

memory/2940-24-0x000000000AFF0000-0x000000000B0FA000-memory.dmp

memory/2940-25-0x000000000AEE0000-0x000000000AEF2000-memory.dmp

memory/2940-26-0x000000000AF40000-0x000000000AF7C000-memory.dmp

memory/2940-27-0x000000000AF80000-0x000000000AFCC000-memory.dmp

memory/2940-28-0x000000000BC10000-0x000000000BC76000-memory.dmp

memory/2940-29-0x0000000008270000-0x0000000008280000-memory.dmp

memory/2940-30-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2940-31-0x0000000008270000-0x0000000008280000-memory.dmp

memory/2940-32-0x0000000008E00000-0x0000000008E50000-memory.dmp

memory/2940-33-0x000000000B150000-0x000000000B312000-memory.dmp

memory/2940-34-0x000000000C040000-0x000000000C56C000-memory.dmp

memory/2940-37-0x0000000075130000-0x00000000758E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E069.exe

MD5 6c993484f6d45bfd9d0e7fd8481e1e0e
SHA1 1af1afaa4c518f8e856ab5d0ce756da838c013d7
SHA256 f86094034e417dad951bb7145ed5cd20bfb2d3b02009557ccaaab7425401a126
SHA512 e26ca2b44493d01309bc1078849e7de4f44e9134e79ea411b7349b9eff192c7f3e096a2e1e4b238f4277b6f1804b9e6cf85ec0a06a5cc226dc655baac02edb3b

C:\Users\Admin\AppData\Local\Temp\E069.exe

MD5 58bd3d124dbafffb7ff24ef86159f969
SHA1 eac7bf63c63e6b369012fa550ee2aad88e679276
SHA256 c961cac47927c87b96b84877da9edac5612ed53daef01e3d8a9feca2bfbdd09d
SHA512 46d7046a95b3a45d2b1f7e0bc682198d1867fc4308dd002e3d89c6c9815db0b68e1e5c7d364b55e07ba0f3cbf39fc065b53ca61ea84348b35ad4f6f210bbb4d1

memory/2236-42-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2236-43-0x0000000000FE0000-0x0000000002496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2EB.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/4216-49-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

memory/4216-50-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/4216-51-0x0000000007F80000-0x0000000007F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3d206fc22c02d16f536621fc9c80c465
SHA1 2ede51aee2ca72d825e39b945a3b575e0dafbb77
SHA256 4fe016dcc4c5cc69bbbf05eea5428c8cddfa598250b5472db61daebcdea05e07
SHA512 cd2a7f275684de8c862542dfc81158bb25ddb6cb7feb3dc147ede44738767db54c1e6bf7a4c4e83275b9f2046afa26af119b96aaf2893f8d2e0858776e2ff100

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 baa2da75e0d013177899f3e5b9cf385b
SHA1 0a10ff5f18e1f9b0da042c1c4e8492a6e3786c2c
SHA256 b2611ffcb49fc617ba80771232f061fcb9161b41f4a43cd7bf1e5f6d6551293b
SHA512 35eaa9f70877831780dcfb696e927dadfc18068102e3ab5ba19b8dfb553f081a4b82ef95f4618792cf7e9d09207fb281ebbff38ff87b184079fd0547d567bd8e

memory/4216-61-0x0000000008100000-0x000000000814C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 530ad889cd20252d186ccff2e2e879d3
SHA1 362e59be2a71629214d59976f7276ad8ccef52fb
SHA256 66ba6152edae3b984f7d6f489e6ac38e8f7e84952db7bbe904dbe9adf07f8281
SHA512 90e9027cca9b9060be1a65f3681173c4cf30b19c66fe3be061eb3bc931c0a4ea6389cc308b38a33e888795bf19239bc031487c5a839d8c218358faa5afd1a834

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8de8917e309208915990a95180c47ae0
SHA1 906a5eaf56a2e15511bd99a17245d47c47368ed5
SHA256 55bd32d4f7e9d331008c607d2fb618590630d9b6cc79d180cd7ace4cc8834bdd
SHA512 be4764da1a8123bb3f3d4e9793d044f5a3e8699df159a535f1ae82ecb89c4ef3e3f63a8c1cdd32661f4158ca439089bb5111b86e8631ac52be373064e462c475

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 65b02fa69ab9d24b4dcc9c5140a37a5f
SHA1 ca435e858dabc37d820e9f60212ec9f0fd20f54f
SHA256 3a5d6b36be69175977fa2613a74ffa9a2eb4c9520e15a28be70aa5c801307ef1
SHA512 41e329b65e9b00f9ce8ff25fef26db83d962ccb93220987ba4aaaa377862ac6f0dec13d274e7f4797257c5920c1f275b7bdec4fcf2290d0093d8d784fe7d7388

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 702222f0bed54a930463e50f1e9cb8ee
SHA1 aaff4dd1acb5106062a6d67a5f5d07490dfdc1d5
SHA256 17986e57c6b160834b0d844781bcce59b0173e55455717f9f7d233d99d707b5d
SHA512 81d93cff9a55ddc71a9b3819741a078e8c6e53eab771c7f2bab250ed3f069cc4142b741c512a7430ba64ef89dfc4ef77769e9dd2a4eedc89bdfc52b13f911f73

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 ce0c881dde669a80ce0960f90389a061
SHA1 da8834104ea05326300abb6dcef95729e8ef5a68
SHA256 d0ed07e17acad95e07ac7f8e3a6b03fed82e682c25772e82fec837ec0993a2f9
SHA512 e98950620b922cdfcf25c4fbee22dffdcb6e51700573c3707d9b1b01fc256add11477312062dcbda65d80b74f7fc54f16307890cf894679ca21c7071fcc5012f

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 4143a3040f0296f56986d1d2db61e0a3
SHA1 c43f1398b35656d090feb1211439e990a4546048
SHA256 37fa015655fec8c85f36f52e805d3706b873514258fe9ccdcd63014aeee99209
SHA512 bc57d43581d630b5c301592f3fe6a659764f45289b766db7d17d64f12d1ef08aa5139dd079068c2925c88308fe926a3972dfd17834d78cd382066a7c0db5c1f3

memory/4624-94-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 6de69fc3a9c9a4c412f36d9f36050e8e
SHA1 ecfd2278db738b0ade1420ff39c551026482f229
SHA256 d3f9309eb142bfd633097bff7abc1b93db3c33b3ca1d210a1e51ed259264eed4
SHA512 1164a43ae88703ab788d7f8d69197234b103d237e4ca84acce06ff381012c14524e5e379f5eac79bd726ab0a8d9515923d63366fbc3da9e863ecbf0424a7eb2b

memory/2948-96-0x0000000002830000-0x0000000002831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e77422fac1e9d2d11cf7f1c1d57071a4
SHA1 53e63414263dc20ea044c6cbb4fb4fc2c2be6140
SHA256 9d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320
SHA512 d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53

C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp

MD5 dcc391f875f163582ad987b1d81af38b
SHA1 e6d99f84192c8208a21b6465f11b8dc04041430d
SHA256 0ef8b30c7f7f46da3e3d4181a01db4998087e568adcc835968b478a6f985a84a
SHA512 fa9af6c3d8e3fbafe1525a3b0f3dec86211b126a6c0e0cecb25395a03c6c78c2d4cf30e8a22ba32175862ed5eb0bb14f01ec933e5756ccd9d2d1e154bff279fa

C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp

MD5 3659aa7fd0429bf23260edd5c7fc4cfe
SHA1 6f37c3b49d27930c9cb8820da0f2c80e5a08d45f
SHA256 ae2c2f3929715ea631ff82a0f303f4fbfe1ea3a8d18516fa52feccbaba81d080
SHA512 845993dfe019cfc89c40f77540c757ee89b070dec5a268ee8be56e1b329b257a924cdccf688fd9dc719929be185443f772d5f0b24aea0bbaf876525b544c481a

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 ceb7b6de2781f90b51641fbd89e0d387
SHA1 099c9efc0ea74089da601c1f8d7fb260e296c9d9
SHA256 1bbdc276dfcd8768bfc8659887d307a41d8bd73f76b2ce671257bd4d6e9373d3
SHA512 b2b1528236734421ef589014e78e0d10e5c295f9058ddfa5fe83b82afe219402f3e099feb212098773c7cd3b5f9b66861065d064ffff191fc6b5b5dc4a404210

memory/548-125-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KJPQS.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-KJPQS.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2236-124-0x0000000075130000-0x00000000758E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 54eb949c88b8f80abe56663f76ff83ec
SHA1 b81d4a43d7ca071862979770b04b4c9164247d92
SHA256 09f0c100b01c4b4ea7c8ad2bca7e639c0555985139e509b821b5d56c6969f4e4
SHA512 db723ed74024d76a8b70682d56b11c56b68e964edabb033754ee1ec69f81675210e6a1621d1c84277cdca290f89d4dd692ed30fa078c5d9f06c41bfa2fc4f4d6

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 b365d5a9f52f871044f61011e496cbdf
SHA1 13a248939be980d240b20e8ef72334b2eb749d47
SHA256 a94b2bc157dcf54099ff1a80dcc49fc2433fcd48a6048ead44efb177576666b8
SHA512 3f1869957fb7ac9f4278ac160518bad244bf634309c1b0f649f3ea89939931f5924e72b6d2cd9075a158ac135226020e11352743c73096324ddea0b6e769aa17

memory/316-254-0x0000000000400000-0x0000000000785000-memory.dmp

memory/316-256-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 dc03cfc87ab203f5d439f65962d95e92
SHA1 2afc0b770115492339137a987b8bbb31c9909aa1
SHA256 7c4fa22ed82dae8c25c0fe27ddc4ba39e105a59a962c5b2d1b9e707370de2c5b
SHA512 0e892499f62548eae2b8365c319151c8823296e2766a2b994388a95d7a1ad691ecd5ae4093fb2faa316d08d2aa60fdd3c6328a9e11f925bb38c0ab102dfa65cb

C:\Users\Admin\AppData\Local\Temp\F27C.exe

MD5 cc2501300d41433559a6ea42baaaa87e
SHA1 3e951489fc2e1ba11d60f8c8af124ab636a0a30a
SHA256 08ba2abb8c863ce1629d574856f1f341c0eb8119bda8f0c39c35e4c56b359fe9
SHA512 aa2dd3eb7e8e6e1643a8ebbb59cc738b137edb40ab31f78083c233d0d138f36366ac5c420d523cfa2f811283555881698386e3f74bb24326cce1812c7ad1bf84

C:\Users\Admin\AppData\Local\Temp\F27C.exe

MD5 9e0b9926679b39e34f46a97d82577dd2
SHA1 5f3ad2343f98b97e4ca4ec0874cb8f9acbc4ba31
SHA256 dd47b5969e98735684e44c07bdfb3366162ba141e2e4cd5524ef41fc2c980c06
SHA512 85510cd4de855e8c1b19ac25ca67c09fca955c9fa0bec592e7e9e09c91c1d752bdf4e60491d44ca8ac40382b2897ea816d8f959f8cea707ef0fb4fc2bf776ae5

memory/316-261-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1384-264-0x0000000000730000-0x0000000000CE2000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 21f912f210419128e7c04c04f9de7920
SHA1 6cc2d8bfbed4fc297c68e6925b378663d1a2f48c
SHA256 a0811f0bac71bbc9205110757b302a9b4d829df3b673f2b1ec9c5e4b7e1095a6
SHA512 273bdbcc519f35de7fc8834caa8ed755beb5b9042a42f8451e588d092f440e5a4ee94474dc188e17b44d02f696faa0005f2d19b52458e94f5bbb23549d2c468f

memory/1384-263-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/4216-267-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/4596-268-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1384-270-0x0000000005810000-0x00000000058AC000-memory.dmp

memory/1384-271-0x0000000006210000-0x0000000006220000-memory.dmp