Analysis Overview
SHA256
c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
Threat Level: Known bad
The file 0x000a000000014adb-116.dat was found to be: Known bad.
Malicious Activity Summary
Glupteba
RedLine payload
Smokeloader family
Glupteba payload
RedLine
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:44
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:44
Reported
2023-12-11 03:47
Platform
win7-20231129-en
Max time kernel
65s
Max time network
110s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E73.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 1692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe |
| PID 1360 wrote to memory of 1692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe |
| PID 1360 wrote to memory of 1692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe |
| PID 1360 wrote to memory of 1692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\758D.exe |
| PID 1360 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E73.exe |
| PID 1360 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E73.exe |
| PID 1360 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E73.exe |
| PID 1360 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E73.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe"
C:\Users\Admin\AppData\Local\Temp\758D.exe
C:\Users\Admin\AppData\Local\Temp\758D.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-6247P.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6247P.tmp\tuc3.tmp" /SL5="$5014C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\11CE.exe
C:\Users\Admin\AppData\Local\Temp\11CE.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211034547.log C:\Windows\Logs\CBS\CbsPersist_20231211034547.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\6413.exe
C:\Users\Admin\AppData\Local\Temp\6413.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| US | 204.79.197.219:443 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | tcp | |
| RU | 212.193.52.24:80 | tcp |
Files
memory/1764-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1764-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1360-1-0x00000000025A0000-0x00000000025B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\758D.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/1692-12-0x0000000000150000-0x000000000018C000-memory.dmp
memory/1692-17-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/1692-18-0x00000000076A0000-0x00000000076E0000-memory.dmp
memory/1692-22-0x00000000744A0000-0x0000000074B8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E73.exe
| MD5 | 4146a78eb916ea0c61c38265739214ab |
| SHA1 | f12c4ff52f909f5e9e434d67a5edf22fe143882f |
| SHA256 | a44b6b0ae1ed6aa2665300e8e752607b3d50211d0461c8304d2ffe74336045e2 |
| SHA512 | 1515ee4be391e7062ff8d029279ef9435f2afda858d27f5ddc0ca0466a849982e3a4b5815a5af89e5ff7f8788aac0ea435de9bf081f682a78726a097ede39848 |
C:\Users\Admin\AppData\Local\Temp\E73.exe
| MD5 | 5eaf2409ecc3a1efe6c706565a1894ba |
| SHA1 | 8fa8c99cbda0cc0ba261a60524669878bda719aa |
| SHA256 | 81678dbe86474f0d18e6067dea3f3df940d26fa14ddd866302e4e5fee3c8f208 |
| SHA512 | 6fe2a15259efa052d4181bc76d8a29a4687a3b5e20326c8a6a075ef741d46a456ce95d3ff0c7f8598e4b410467282a799b8daefc78f7257686fcb90b580276d4 |
memory/2428-28-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2428-29-0x0000000000E30000-0x00000000022E6000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 29e818d29c59539fc36290a24fdcb728 |
| SHA1 | 7a01cdaab7392fe30bf7dd186b6a60f5e9d93f58 |
| SHA256 | cec0ab5fc20a1b55a7b90f0bdcb3a1fcbb21ea808fed3091919fbcbec7df4584 |
| SHA512 | 7e6f671dd77fd050bfd006cfcecd6b42b1531235adcc2c998413df7a797ee3df4bc503e7814df4fc187c93980a5f4a6aec4aed014e1ec12f09423d561a4e364f |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 79c77dfe61fbc798fbafb5eab8928e32 |
| SHA1 | ff40586f6296857bd40a1f729c86d3ca89c432b5 |
| SHA256 | 6c026548352de4b0a92869f3a78c2562c1aafb0016b52beb7deddf63413de47f |
| SHA512 | d0f6eb8fd57cf174e6a77a88ff6ad13d89c747bcd919564e5f062a9cb36f4ca68129872b13f553264b14528136b0ca80405e9c02125097597652ccd272ceac66 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 536adf4ebcc947a0eaf22ff58693b141 |
| SHA1 | 1c095921352e2a70cf16790ef943cdb528d315d5 |
| SHA256 | 9b2b660e59412c762ebc0ed88311cee8bb5d12d65436cdeccd21db9cf6120711 |
| SHA512 | 976f925bcbd4cd7e45c27d2182433de82d47e330ebe6e12b9a4f5fc2702fa22a995fccc264855a5482fb50395ca89b659c027d5c5b016d151428e25aef641b81 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1b34ee464944864d44f1f8bbb3dad7fa |
| SHA1 | 5768fe663d155465b3ee07e514dcf6a9d04238fe |
| SHA256 | 3a09158cf77af5ca18efa7960a35f90bf52564d458a7f65c656db6a6cc3e6323 |
| SHA512 | df69ceb08767681e3a36d64b69a98dfb9f20e6b88294861db5208bf586c209af82bdbd0d5feae0b34df7ab20f412cee947901e621181324289ed0234131974cf |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2408-62-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 251b829c26d72951c9adcb39d9f7b141 |
| SHA1 | 33e7a6c9488e52638a61f279c4adf01ed2df04ac |
| SHA256 | cf8c8febe97e6db228cfc9a961cfd1eecce63b30deea0d05e331f74762bd36c1 |
| SHA512 | 2234f03900e6153b4aeae8a17cd266112ef466b8e993027d64588d807e8fc2898d91aeab3a936f6f7ac7de53edee22bb7fde1b1ee7123226063d0a3f063ad725 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | aae2bb9649db8b6857e77a91fbb88b6a |
| SHA1 | b33f7aa7103853e221e594149930f615b2afeeb1 |
| SHA256 | 38f91c4ce042f477cdda3367a47e040cd0e44f28691a8adc46881e662e93fbf6 |
| SHA512 | fcc75a4f88484eb39991d0697be5df709ce935b4029f04fb9d4d9eceab57bf33a2755794deef26d8c134b8519aafada296c62211302c81405e9ec3565491cb80 |
C:\Users\Admin\AppData\Local\Temp\11CE.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
\Users\Admin\AppData\Local\Temp\is-6247P.tmp\tuc3.tmp
| MD5 | ddc7c8c73b4a7e7b4e0e7abc68082c5e |
| SHA1 | 8dccafdd98d0bc7572845226eaf818c5d87d6114 |
| SHA256 | d590d4f4dc932a97c6ff81f28e708382d692ca9696b048b5bdf7fc1cfce460cf |
| SHA512 | abdfa6d2456be7771308ee02748269cab351124b1a944877831dd8f1f74ee51bbc9206f5aba0fe4bb86d3cf5ef04faa980af5b57e1d43f92de567e1e473e5040 |
C:\Users\Admin\AppData\Local\Temp\is-6247P.tmp\tuc3.tmp
| MD5 | 928370c987e89a5eb23a8c3386d919a7 |
| SHA1 | 0ce170a6c1b7daa3f4243c0c1b89b13bb6a71c9d |
| SHA256 | 32ed20ce4c4529a46b6a8080cea950b792558983e563edf57d0aa4175fe0315d |
| SHA512 | bd8642f2c8d37d385ecd1517f6ba388216d18feaaf07a4cce3c83518dd46acf6a42e4f4f9132b65daba34737ffc5cbd71bfce89e56d477d933316e886c87b6d4 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | dfe8bd49730937e33a0e4c6158ce95a5 |
| SHA1 | 4c1fffa73578d159e57e6a75ffdd424d63d74463 |
| SHA256 | e45bdb954a233ecd0fe6089e68caa32c49506e6a9831b7528667a7e8b6177c72 |
| SHA512 | aba42c151b986cfde3f5660c4fe323cfaa4fde6862f162817bd44603531973a8a82bd85cd664553fd573ae42e3b433aac236ad10e5276434d96dbeb8aff98600 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 3c8249815a08ec24e7006198f9a48347 |
| SHA1 | a71b7d02ab195978db564260d852109700741287 |
| SHA256 | b300df30f37fa8a53062107ce1aeb7d6e5f1e906f138cc097fdcb30ff7c85515 |
| SHA512 | b1f3a8760d6c477c8ac398636785fa4a1d3e62d3c9ec7e68679ced5aabb3de09be5937cb7d8e54623ab5494b7ba7b77d44ce24f85919715089e1121836d17d71 |
memory/2124-86-0x0000000007250000-0x0000000007290000-memory.dmp
memory/1728-102-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2980-114-0x0000000002880000-0x0000000002C78000-memory.dmp
memory/580-113-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 5278019a2e3d029bc25104a3aee4b07c |
| SHA1 | c5cd7c0e2dc4b349398158c5c254feabe608c73b |
| SHA256 | e700b779af26dd375ebcd916ea6c4d1a1acaac66e39f32a666a93a2934841b32 |
| SHA512 | d5f4ef89b2bae07182981622bada4c1ac54cd369047616311002355e6a59aceed1dc555ef0020383bc7a7984a506b211414c7c88b0147aa84b1bd15494a7bc78 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | c90476810d098eeecd16bfbfd42faaed |
| SHA1 | e0a202694a94d50dc133bf5eb61909d4c617ddc8 |
| SHA256 | e3445f06a53bea1272a37b112d0e854739c3a49327b595ac06cfbb5b864b71b6 |
| SHA512 | af4edd3301115e16a576453ed717262afa670860a9d7e45281a09081e11dbdad378a90815ae410e758225f84adaf9a8c33e6911d0e85cc33be5f30868f130d37 |
memory/2428-81-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2124-73-0x0000000000130000-0x000000000016C000-memory.dmp
memory/2124-74-0x0000000074470000-0x0000000074B5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8588beacdc0bc0786a1d3ad0994a4ad2 |
| SHA1 | 77559a274101be1f5ce01dd6837c5adbe7b28edf |
| SHA256 | 44a9cd69817b8b162ce5c976ddf0b1d6c147ddcce90475612c4699c965a3aaa2 |
| SHA512 | 301bca1698920a4000eef553f9a7cf18698284463f178234f4c2962fb9ecde515ad0e508b0be7f68b884da3079be7334ffc69c1a7fd782e8c3a135b7b2f5607b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 51cf023b81c8e9ba2dca2c7010b02c32 |
| SHA1 | a0eacb314740ed74cb7629524713efcba167ebf4 |
| SHA256 | 605e6ca91845d3b6cf008cd554d4727d03ab33c2851d89644f55bf6aaf88f05f |
| SHA512 | 0425fc294878c67623504e9374ed08a539b7edcb629b3eb4e103a992ae499aeb442a89f4eb7d9832fda6362ab5246f6b92e7fb1c4a6c4c94e17458d80c93fae7 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 449bfe662be8c42408b804baaea5b8ee |
| SHA1 | 149d512869fcec22e8d69c1b87c689c02a5aeb69 |
| SHA256 | f0d56b26011f3606066f6db4dbb921b9d89751e9489d148374601a4da928ca3b |
| SHA512 | f86d34a614df59f3212b903dce7997873727a2fcb03cbd3c8a1ce97eb4f0961b672149879b7ce2ed9cf2a38574b497b4b628d4c25fcce69073e50ec2dbeb8830 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 487d5bdf95b8ffb0c0378b893cd0d95f |
| SHA1 | 1e5759dbb529f9894d2223089687299c8b05dd2a |
| SHA256 | 8a2289132350feccc233cb83a7f30fc9324824c3c3d4b2e13b810ff4958af282 |
| SHA512 | b91f72b1a1aba03cd55fb26d969a1a827478102c0c0b30206ce6f0052e21a7a67e220e83ca94d655ab3731c34e1a1b972f42a9a4fad6e515897919eb2548e931 |
memory/1672-126-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2980-127-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1456-125-0x00000000002D2000-0x00000000002E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 068d86f561df385692269564509fecf4 |
| SHA1 | 756afaaa86dd9df9b6161baf59f02582ba8e18b9 |
| SHA256 | d7cc49ca41d7fe6c47bee8aabff6223634e040d0aa1137dac3fae19ba546a0ba |
| SHA512 | 224c0618702d31247dea785b63d2c9ba8837468feab942c90b73df529e4e71b47f48bc578f3bdea62d1872a0ac7db52c718016df7863039fc365ff10c42dac88 |
memory/1672-123-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1672-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1456-120-0x00000000001B0000-0x00000000001B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | fb8189a15cb02889097ed80f3152d9e7 |
| SHA1 | 2db947a0cdd9306995c7041f39b4329f34f6b69e |
| SHA256 | db4c7d97900e6e6d8705a95db68f1ed1f2ce851044ca85e437b9dd936dd6400b |
| SHA512 | 76575a7a17c74246107af4289511f28898cc2a9a3c2ca05de476a03d0962f0f1de71c80bc2339027eaca3399c78016f2a90e97fee4abc393d68496fe6b20799c |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 180b9d3bed06fa2f7cae713f2c2c7706 |
| SHA1 | c2c3030a6a97e0e4f99a9b2afd16f4dc143ce106 |
| SHA256 | 452526283878a997b81b0380b5fb45b07ae74676d9c56c7a68257fa9f18c1fdc |
| SHA512 | 9f32dd7bf147b22f3229177dd7b704fa55e2c7a3790cbfead84472d35bd4fbe0e4f91e26c8a1f7a91d87b3d0923a22776a5b0dcdcc99066d58b25a5eee6afeb8 |
memory/2980-117-0x0000000002C80000-0x000000000356B000-memory.dmp
memory/2980-116-0x0000000002880000-0x0000000002C78000-memory.dmp
memory/2980-130-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2980-131-0x0000000002C80000-0x000000000356B000-memory.dmp
memory/3024-132-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/3024-133-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/3024-134-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2408-135-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3024-144-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f7796c52f010baf347a59605af046537 |
| SHA1 | d28390de5f331b848b832dd6580f7c4b99a7cdf8 |
| SHA256 | 1145e83202f25eb5c16f08a5cf6d402cd11d5f57f9d825f99fad32f556248bbe |
| SHA512 | 322c8ca6125622d5b9d8b5f1d78548c55de9a9d019209d90cff65ebcf92d0e99a67da38fd7274416b4c5e1f2a8d8ac8e8dfa00181848afc4b8bbfd2d85acf0e3 |
\Windows\rss\csrss.exe
| MD5 | 474410844f8e50d312878d7a126130ab |
| SHA1 | 5701669297693449b1935801fcb444d95fb659a1 |
| SHA256 | ff762dbe25763ddbcf5e9448bdcec89274466815703a69464cdfbb6d28763ea4 |
| SHA512 | b56d5e8ea766ed000df220b98b9a5e5fc2d918877736e2df5c2f01c249048e1062d57e9dd2de09d15025eddb6fc6e338b4ddc96402bc86a491d5cea20d17e239 |
\Windows\rss\csrss.exe
| MD5 | d97a6bf268bac64c843406c8351ef85e |
| SHA1 | 29f9f2e5dfea9e372ab0a5f65d49ec7693d23538 |
| SHA256 | 7054e8c5b7cada9ae033994b3e1e14fc355198b1a0ae07af7b70e2fab4565e81 |
| SHA512 | 477e787ff95e55b0e767c365c1fdda40d938a8e713a98edb1a1cb2cc8651872696502f7cb160df0ced2687a53ae25c033f7812f367ffbc91c24ad15df23f0e58 |
memory/3024-145-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/1360-146-0x0000000003030000-0x0000000003046000-memory.dmp
memory/1672-147-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2228-151-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/2124-152-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2228-154-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2228-153-0x0000000002730000-0x0000000002B28000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 82efb958c282968e55810ebb2281e7d1 |
| SHA1 | f1bf6b280c70b3d1d851bcef1231cacc57a5cb6c |
| SHA256 | 0c01e91a326eec2fb56fb63b4b066f7f7c8e0594313443afdfc20519c9c4c1b3 |
| SHA512 | 6ffed1126f91695ad0e324a38980022e3d5cdad348d2e040e9bfca430f72e05fdb0b2aba5a155263aa6e1d332928d9b1a6068c1c101f034097849b900980d051 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 6e350c613742cd4f1057cc64ee60ea67 |
| SHA1 | 236939f833a84ebb4e93c23712d571fe146d4812 |
| SHA256 | 6a59db3a1d29bb965b29cdda56349c74d9621a3ff2b257f6ee014374603f8597 |
| SHA512 | 4cbb9054e8669d4b1049aabd48da380d04455b6ef76b63870541c87043d7e817b06ef8cc67ed8dac0f73854ed831640fdcf44a0a1b2e22a105fc92bc2bbc884f |
memory/580-162-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2180-169-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 83642a68dcf026439852bd86edaf0e4b |
| SHA1 | 86ed270e00f9e08eef57b1437f78b89ffe638f07 |
| SHA256 | 575a2db41823058d55b1c68d7d09c00016c6185efb2282bb9fbdb7104be4e8e8 |
| SHA512 | 9f64d149dcac96f38232bdbf5830cac2ab0c0e46ef240f85c65cbd3596b1da383906e369e13616a8228293d736fb0ab7b9ffd2a6cb27f6861a7955a79d5933bf |
memory/2180-177-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 829be5d774062ab9406f3c67a6e866e5 |
| SHA1 | 6be024587b113490181406219a7aaf5f8ea4cd32 |
| SHA256 | 32aa224c4510ab359ca0c574a6d867deb5dfd4ee1028f3077bb3795f14d90f86 |
| SHA512 | 49bb7653c7592887e9ccff4d20288490fefaf24f49b631e70d69ba09bb07893c17d56ad140737b5077376c74252e0bf13c4ddafa32cc417961a8a76bfe602eb5 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 036232a44b04f8d5cea3b1c6955d0979 |
| SHA1 | a0f12185669ea7a2f8963034f7fe86d7ceb92e4f |
| SHA256 | 0f5b8e69c224010bf358e411432706393abf1a4af6d527f3733d1f28fb8cf3d2 |
| SHA512 | bd3261aece57c1c9aa050af1c8078a682dcda3fe153ad1ecd575c96ffe38ce6adcccfe9f2dad77f0fd412aa19715ca5738133740f8a1eedfcde1f3dc0d0cca31 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 016f94d053e2a0af8b2fd565d098fd33 |
| SHA1 | 3da0639be1b677cf1d432f39f430e706c76a90b3 |
| SHA256 | 882ddb96f7f500fe8066ec841a14e9e50f70fbc7fd0b94b463b00e31fea66fb6 |
| SHA512 | 4f66de64b2b6ff043c882008a8bef8f610288faaa73b07923fd323d80bdb0b3eade433b5842ab6c4163257e65ad308d59f29a5e6537c2e8dd02ee08ef7b46189 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 4dff12f40697f125fd6b5b6e99c6a115 |
| SHA1 | 3fdf96045c610796004ef5207a0a8966884030fc |
| SHA256 | e5ff24b6bf9810c1d43dafc3861f1d269d2122d1da9e92c26e54e56844aba90c |
| SHA512 | 8c92f6be4603be7f202f46f4b15e115fe1b20e93c79603158ce6904c6e753808f339d28993859da56db98f05da47c8a9abf2aa49e53fc47125d1634292f687ac |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | a2b9747ca60956fdf08c0ab28b66c503 |
| SHA1 | a8a9947cc350df80cf4861d72c650bb326445fb6 |
| SHA256 | 88fdde3787cee8c2ce7bb3c3191b367adfac2d42b5e48bda79e77d304b38fb2a |
| SHA512 | 5601aee99b160782966f3d662a53125df46ddaf9660214a73d91a8da324572571ee398f3499538e3c58c05be8f914f49c3671d4c8a6527ad21df71329cbd37f9 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | a77eee726b4a5dd57b1e98047a48d767 |
| SHA1 | 4705d07e29e4739ca96910a9a25023ac076a5253 |
| SHA256 | e64d046f70479805495430aed469bc6ac52dc2d78ec987a83752cc05b03b434a |
| SHA512 | 95d9da5796be8e30420aba2306fd1fc0901c61bfa33e7d14cf84643bb359fde0b9d9fa2de0db9fe09700f7125783b2f973f06fad3fb7560820dd160e83f9a617 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | aba550112e102b6a9de865ab096aea92 |
| SHA1 | dbf19c87af24a28cf9bfbb0fdcd3b86124ef8a93 |
| SHA256 | 70d9ae706529793799cefeb42fbee8e9f553e75705deec4ebe794799d9c6ece8 |
| SHA512 | a501d1a419f56dbd8a3f54aa669805cfebd40b0eff0cd35a5ed57b8edc6df2ef1c3c47c275008c15af78cca51b55849303d03e18469d6d1fe65e584f12f2333e |
memory/1728-186-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1476-187-0x000000013F860000-0x000000013FE01000-memory.dmp
memory/580-188-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar4FAB.tmp
| MD5 | e94892d1d0a3dbd45bc750612eb12cb7 |
| SHA1 | 5a7396945e8f41947c9d44e77d3e3620c6ae3240 |
| SHA256 | d418b0df7ef0bcdfd185597f80a2be0caa86a694d4710efcc690d6f3d60198dc |
| SHA512 | 864d0a39a83d107d41f05911d1c982534c07a410fc51c2e2d30d70bdf4af37fa0feb99974bf521e17c3731bf5153c0bfed7b4839044e608977f2b05afe038b98 |
memory/2228-239-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1124-247-0x0000000000BE0000-0x0000000001192000-memory.dmp
memory/1124-251-0x00000000053D0000-0x0000000005410000-memory.dmp
memory/2228-252-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/1124-250-0x0000000074470000-0x0000000074B5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6413.exe
| MD5 | f4b4639ac5878c04baa77a1a01b251aa |
| SHA1 | 95c9a5bce180433288619fb0890e6787ad98feb1 |
| SHA256 | f8eb6e988c65ce9b870a092c71729ff94f91e8a3aeb3fbdbbc510bda2383032d |
| SHA512 | 03f669ce80b61d4eea57f2aaf4d09263357ab1e4d93effa0bb318227376c39633ed84cb6fd35ccf3097fc7b0971f5adddb0fb043b41bdb8940a8feae4443441f |
memory/2228-253-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:44
Reported
2023-12-11 03:47
Platform
win10v2004-20231127-en
Max time kernel
79s
Max time network
142s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B820.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3FEE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43B8.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3380 wrote to memory of 4352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B820.exe |
| PID 3380 wrote to memory of 4352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B820.exe |
| PID 3380 wrote to memory of 4352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B820.exe |
| PID 3380 wrote to memory of 1316 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3FEE.exe |
| PID 3380 wrote to memory of 1316 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3FEE.exe |
| PID 3380 wrote to memory of 1316 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3FEE.exe |
| PID 3380 wrote to memory of 4460 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43B8.exe |
| PID 3380 wrote to memory of 4460 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43B8.exe |
| PID 3380 wrote to memory of 4460 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43B8.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe"
C:\Users\Admin\AppData\Local\Temp\B820.exe
C:\Users\Admin\AppData\Local\Temp\B820.exe
C:\Users\Admin\AppData\Local\Temp\3FEE.exe
C:\Users\Admin\AppData\Local\Temp\3FEE.exe
C:\Users\Admin\AppData\Local\Temp\43B8.exe
C:\Users\Admin\AppData\Local\Temp\43B8.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\6EF0.exe
C:\Users\Admin\AppData\Local\Temp\6EF0.exe
C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp" /SL5="$401E2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Users\Admin\AppData\Local\Temp\897D.exe
C:\Users\Admin\AppData\Local\Temp\897D.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 190.7.123.176.in-addr.arpa | udp |
Files
memory/3704-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3380-1-0x00000000026D0000-0x00000000026E6000-memory.dmp
memory/3704-3-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B820.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\3FEE.exe
| MD5 | b0b169ef9fb82ea942fc84f29fa06551 |
| SHA1 | bf5afb5636187f2464ed599dfdec034fbf578697 |
| SHA256 | 4b65875a9af87bc66f237835fde7340f78023e277c5ce00190e989d81b4c7841 |
| SHA512 | cdb952b9432e5cac5c8950e3b49db2def5f219ef0bfd863ca6e89321cd1ff34c4a0436c9dda26a419588308957a14aa910d24d05e779b711391e59f925650cb3 |
C:\Users\Admin\AppData\Local\Temp\3FEE.exe
| MD5 | 1bd64ffbb781661958321de291442d84 |
| SHA1 | 49cd6dff91046eaa85840dd66501685c697686f9 |
| SHA256 | f172c871be20b4c5c86b6616186dd8b3783a7a650dd9dd3d4142961cdaee0b69 |
| SHA512 | a7b494726a61ff3520c3d9b0c9d901ac56e0210778b65c836b93743382c28d2a34f593e60f6b9dc544bcda8e4909844870860f615623cd6b62675012a36d1368 |
C:\Users\Admin\AppData\Local\Temp\43B8.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/4460-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/4460-21-0x0000000000340000-0x000000000037C000-memory.dmp
memory/1316-22-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1316-23-0x0000000000CB0000-0x0000000002166000-memory.dmp
memory/4460-24-0x00000000075F0000-0x0000000007B94000-memory.dmp
memory/4460-25-0x00000000070F0000-0x0000000007182000-memory.dmp
memory/4460-27-0x0000000007280000-0x0000000007290000-memory.dmp
memory/4460-28-0x00000000072B0000-0x00000000072BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
memory/4460-36-0x00000000081C0000-0x00000000087D8000-memory.dmp
memory/4460-37-0x0000000007BA0000-0x0000000007CAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9cbdb49c8cfe94d3380cf3456b66d96c |
| SHA1 | 32c5d500781220052e695ca2485a686267a8390b |
| SHA256 | 49b1edd250702b352f9ed1948db08e6a540c20e67c6916e76211fe450ca675d9 |
| SHA512 | b67aa9f0a8ae905c64fc699370d81e385adc5164237e0a60e9ec693ca57ff4aa77d8c7c329486eedd41bd43e97b9416c0ebf0a7fb8928feed621c0217715ae29 |
memory/4460-39-0x0000000007380000-0x0000000007392000-memory.dmp
memory/4460-42-0x00000000073E0000-0x000000000741C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d6e2d1e34c09f72cfec36486cffe83d6 |
| SHA1 | 81636569d19838e479c7c469d9402f57cdbe41d7 |
| SHA256 | 746db77481ca2dcb8f061c26f1b77f1c5a0e7c7a4fe0eb65ba8befdfb831b82a |
| SHA512 | 5006c15d03cda40c81d1fbb6fd53976e1ccbbd9975c0eeafddaa158b03b355a83188af0abb050da8d97d80e284db832910eb3499840d382e6e327ca0ef9b7b57 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/4460-44-0x0000000007440000-0x000000000748C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ed88de7bde0aa9e5c6373bf712a912e7 |
| SHA1 | 771c3cfe93ee2cb077d56189abab1543c4b19a0d |
| SHA256 | 6b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885 |
| SHA512 | 06fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3053824ffd7b984d9f4acc8d590694ea |
| SHA1 | 2944cadc5f2faf755c960fa2375665168074b761 |
| SHA256 | 5d6d1a218717eb310a2e8da32e953a30ef49e4c7faa817d485c3b0fed21b3aed |
| SHA512 | 9841c27148ec0c2a223623609cd17abeeb99cd585c306c0ec7e63853ab3b4d5c9b9efd4e1908448cb823a06e4d697e8952e0a7eb17a4ef82762675e998b5f8d8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | db7cea14da34db0b4cf2fc3b40a46a5a |
| SHA1 | 32b621293e6366b45e2dcffe40b590bb985a9ee0 |
| SHA256 | e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf |
| SHA512 | a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | d6af9f1ea20caf07cbbc7cc75475411b |
| SHA1 | 9b677fe3f4994e76ecfae030f08b6f5393238010 |
| SHA256 | 4e7bc66339e8b20cff5500a85b34afd2fd8ae81fb9d5973a2fb84c66651537c5 |
| SHA512 | 04723a1b98b8b68e8156d2dcf3fca0b2d826266e1fc0b4bad9c1f7448291ea8dd86273f786efc12329b8570de200a700e36ee666d45dd1d926da5c21fccb1535 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1ac6f91f68a718573bc6e310e5267f9c |
| SHA1 | a30f1f046da88ec78fcab903e37f0b8520625d5d |
| SHA256 | 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a |
| SHA512 | 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bb62eb5da4f2a9ab8434396d9752fdb0 |
| SHA1 | ad269614474763d1b6f1b39e51ff58b99bdd2e13 |
| SHA256 | 08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e |
| SHA512 | e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632 |
memory/4884-78-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/3188-81-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/396-79-0x0000000000400000-0x0000000000414000-memory.dmp
memory/396-83-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3188-84-0x00000000003A0000-0x0000000000952000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 226ab7d4c5a038c007eec25a889bcddf |
| SHA1 | 57b2f5af24a9ed41bada5cbfde98a8a31a3d5e28 |
| SHA256 | f3153b917963382dd4895ecb4bf18cf40e330f479c89b4ac66f2d90b15257f7a |
| SHA512 | c415051ddc1c5d61f1635bcef34963f20c63b6deb021809ccd7152a01b2504838182b2624d6318c497915277455009db46cf5d3e4c36f342f4cf765b0558309d |
C:\Users\Admin\AppData\Local\Temp\6EF0.exe
| MD5 | 94e484b3c98f11ddd7b52a1f2e0d6d07 |
| SHA1 | 69996218b5284f2db3c63be84c008bb158999fc6 |
| SHA256 | 629e09208510bd357194229b346444616ace3bc724106d8843a4b98f5504731c |
| SHA512 | 52ab9bc3101529e6d4b919d4716abc0a1e052395c4c75e7ace09971dfb89ea0b138a8d8d105ed36ca94e5b77232ad94cce44f20161e3ec3cd5a06a1cd5a1e41e |
C:\Users\Admin\AppData\Local\Temp\6EF0.exe
| MD5 | 6915ae7cb5b2eb3f5df1b184cc625950 |
| SHA1 | e5ef210770671a430148a1df61fdd6cddecc30ad |
| SHA256 | 4f8d417ea7c3b15679337a1cd12bbf88299a84107cf5bae3be47c5e4425eead2 |
| SHA512 | 0d000b3e90f9185ad56455d1da101ad18875ae1738c6fe5dfe3e2e923d3317e535e5514fca80a443a1ac1a779c93305f849465cc3ea7ee7e52f719903960bf6c |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e6398c572d3912e95d67990db42f7b65 |
| SHA1 | 1caeb92853c065336109a4b63813aedcab048aad |
| SHA256 | 46d152bb29f8bff9153f8e357b8b06d56b865e3aadd43a67e5a5645878c1359c |
| SHA512 | d6986cc29c6fac52959ab3945c398e28369dbd3a0654d8c3186227855dd5639685cd7ba3e308bc78189dfc5dd8aca894d30c4029b8d0c019b16080377346576d |
C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp
| MD5 | c92eb06a2c0616bdf739a70b1427b0f0 |
| SHA1 | 3657c0f2e2ebf65d95469e93ad781516e6b808ef |
| SHA256 | 0551438a2f2a917e628bfc212473dafb78edcabd6188389dd485be69437f3e03 |
| SHA512 | e23e7499c7959b8cda5c12f888aecc1d08556163280b603998e2ac8dfb268c2d721e5280b977b2d9afcb2312706ec98bfbd490d9a22bc7bb0a8620db19e53327 |
C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp
| MD5 | 54bb0d4e8255b55f339cb4e20b537b0b |
| SHA1 | 9b8957c8631a57142545c9bd1229cdae402bafea |
| SHA256 | 82eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8 |
| SHA512 | da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889 |
memory/3188-95-0x0000000005510000-0x00000000055AC000-memory.dmp
memory/1316-99-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/636-115-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AOE37.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-AOE37.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/3188-97-0x0000000005650000-0x0000000005660000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | d2ef8dfca07b76626d20a20d38c835a6 |
| SHA1 | 02932db44220b4a104c6822ccca1c0a367da7fb2 |
| SHA256 | 623961bc5b17849b37e61e99ff84da230fe12ff539e07e947ba454168e935e07 |
| SHA512 | 3256df52f995c5632daad4fa3057912645d3403a0b7813d852c50a4d58771eaeaf4e38d981a8110d6770151fe080e85826eb2abb8bc764bbd068c83b4cd7ee40 |