Analysis Overview
SHA256
8efed3b792accd764dc37407da33d7b5600129edbedaa956e6bba34d06d3e1f0
Threat Level: Known bad
The file 0x000800000001628e-136.dat was found to be: Known bad.
Malicious Activity Summary
Smokeloader family
SmokeLoader
Glupteba
Detect ZGRat V1
RedLine payload
ZGRat
RedLine
Glupteba payload
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
Deletes itself
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 18:55
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 18:55
Reported
2023-12-11 18:58
Platform
win7-20231023-en
Max time kernel
58s
Max time network
133s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D5A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-JLMIA.tmp | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-F4EB9.tmp | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-LLNFC.tmp | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\is-7SD3C.tmp | C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe
"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"
C:\Users\Admin\AppData\Local\Temp\D5A7.exe
C:\Users\Admin\AppData\Local\Temp\D5A7.exe
C:\Users\Admin\AppData\Local\Temp\33ED.exe
C:\Users\Admin\AppData\Local\Temp\33ED.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp" /SL5="$A01F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211185637.log C:\Windows\Logs\CBS\CbsPersist_20231211185637.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\A3C0.exe
C:\Users\Admin\AppData\Local\Temp\A3C0.exe
C:\Users\Admin\AppData\Local\Temp\AD91.exe
C:\Users\Admin\AppData\Local\Temp\AD91.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2980-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2980-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1380-1-0x0000000002990000-0x00000000029A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D5A7.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/2632-12-0x0000000000130000-0x000000000016C000-memory.dmp
memory/2632-17-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/2632-18-0x0000000004490000-0x00000000044D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33ED.exe
| MD5 | a139bc5f371372d79f2a89358bf1cb1e |
| SHA1 | c69d1083137b01b02cd618b8f83918fd8b024cd5 |
| SHA256 | 24cb6a316489ca48a658201992d23abeaf64370eee430bd975d46e8d1c3b7d4d |
| SHA512 | ed513ebeea392e99761b341f1f675d61ea378f3cc2eabeabd0835f229d868afb0ed8deb6c91da14ed1a0caa4bc86b7235f4f9c708b9da2cc079e3cd39ece9abe |
C:\Users\Admin\AppData\Local\Temp\33ED.exe
| MD5 | 4146a78eb916ea0c61c38265739214ab |
| SHA1 | f12c4ff52f909f5e9e434d67a5edf22fe143882f |
| SHA256 | a44b6b0ae1ed6aa2665300e8e752607b3d50211d0461c8304d2ffe74336045e2 |
| SHA512 | 1515ee4be391e7062ff8d029279ef9435f2afda858d27f5ddc0ca0466a849982e3a4b5815a5af89e5ff7f8788aac0ea435de9bf081f682a78726a097ede39848 |
memory/2904-26-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/2904-27-0x00000000003B0000-0x0000000001866000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 7e23085391ec6f769f81d55520496c46 |
| SHA1 | cb2545c01d9bf54f30ee9636dded12387ee6bbe4 |
| SHA256 | 3f50e08ded7a0974dafffd81ce0352fe15c372c864f4737d686af4c4e87ad964 |
| SHA512 | 31b183f5bd6e13acfb9926ce788fdbab30a7d488aef9b5a16053d43daf1c68dbd8e213f07ad5352214f230a9e36186221fae4ccd2039f5000e65c4c5941eeded |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | cce61c1ece398cb8c0354e2375f36002 |
| SHA1 | e8536625266a75d3c2d632346ded77f6e2188bdf |
| SHA256 | baf5260412a3ad620bb50edd5e35dc682b1442a691f66dd498c47250d28670e0 |
| SHA512 | 04d139cc553da0865cf885ec4fa1afa9cb22448b49ab30592aed96ae53214842399e9991577af85e93c779382c47ed1ec7ca38531410f731a5bb9694633f6f7d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f5685f9645f54b5e14e50491c7510400 |
| SHA1 | 23dbb0d8898238f3b74d3f28255521c1dd8b4696 |
| SHA256 | d98debba162e7bdd569422e0e226c882c52da2d21122c16911a04c7519117d12 |
| SHA512 | 1991c06858dc865f7d14935a7ce16ef6df458b2991fa5abd86bc1deacf72dfd27f893d4618387874ceec61e232ea65744add6e24afb4deec93c2e65bc51dbcbd |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | fa7d23cad9fd740f278f958520ca2034 |
| SHA1 | 43216bd4dfb5f6ef8392baef9553db18e731aa20 |
| SHA256 | 1c178a01c93d4cabcfc36dbcb00c9af929b33746dcdd3207d94c9f84555e5d09 |
| SHA512 | 029b2aed04b111823df77a61a1cbb82c901285dc751305c7006061cf1587ede819192c71b77fcc0c28caad3a8e04622b4b20153769ffa862da8ba151dbad9ea0 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ed88de7bde0aa9e5c6373bf712a912e7 |
| SHA1 | 771c3cfe93ee2cb077d56189abab1543c4b19a0d |
| SHA256 | 6b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885 |
| SHA512 | 06fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 9cb73494c41bc76b37fe0b1eee3f9d94 |
| SHA1 | ad7e23afe7fb6fe10d3f1b5dc53bb4ea851a9b41 |
| SHA256 | 77722230f710d7f99547f1753cbb97e7c60845e3245a8fc9a93ec3337900c388 |
| SHA512 | e97aa4004e7f8dd7d7f2c8a38e9609d544a5602dee52808e3a8bfcfc1a53d998168d769bb1ccec42d4fcdc0cd7423dc973515088302975d346b81bf493b11b35 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 8cffcf746c4673ca144895207aa08d8d |
| SHA1 | d7584bb10dd9e2f23d9d1f6cb825d19bce17bbe9 |
| SHA256 | 9c8565e430a0d034984bfb618a1b2f821c27f4c6802539b02a673d25eb9a4012 |
| SHA512 | 35a8140206a4c457dff3ab46a54bccb68531c60f1fa2856dc748fa45322a7d8417d27ac7d8f17735e715801e4cd86ffb0bbe7b28eb9102e06b2c9894985eb4bf |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 578c8ca07a0040736c723f755332cff4 |
| SHA1 | bbe1448e51cfc66c6dc3dbdbf91a8910eec4fce6 |
| SHA256 | 319b350cbcbfaac2d306ff8d9c60816ce823e2eb450d0a254b53a453ce223fb5 |
| SHA512 | 28147a47499d0306e723cb596418e25408e62991284f6f26c6bcbe64b117fcf3b8caac3da30c42f53890fcf1567119ec9dc9764238b30a46a0423850596aae83 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1ac6f91f68a718573bc6e310e5267f9c |
| SHA1 | a30f1f046da88ec78fcab903e37f0b8520625d5d |
| SHA256 | 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a |
| SHA512 | 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381 |
memory/2124-64-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 9b6211efa859f78626cc1e41a4969e93 |
| SHA1 | 78e744caeeab9d0176d7c619f332387274d21652 |
| SHA256 | d7e66990530a78a1014c166975437f14e50d4ae464e766f4c2e2d02d4c76d989 |
| SHA512 | fd3350b0a1a7ac00345144372c55c8d390eac24c3e7a6962f7a9148a5703027079dc3ccbdd43bc4e0e6cddf4f443513d4b4d37efe231cb782f2fb5f4104f47f0 |
memory/2604-68-0x0000000002690000-0x0000000002A88000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/1940-76-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 50745d558a360f008a4ab2212c0e000f |
| SHA1 | 5a71cfd716f7096b3edb1eaa061062adc4278c22 |
| SHA256 | 6e310827e7cc4749bd654838b982ce9de66410a330d524e80ebda1dfcd572799 |
| SHA512 | c446af0b5b161d1ea9d1df872bcf0d299bd865ae2db79e44534e8dfda8a5ef25b8da7e15cd87237c9e51e40e683d9fb2ce585f68fd73242b5738dceee09b7751 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 44723bfa045a39954d74b08ed1cd900a |
| SHA1 | 0d55114212097cc1f8e3c3fcb116567ab29bd458 |
| SHA256 | 3af7e0f26aac0c1613bafe6d6e1bfc8cc8da95d11e9b92ed76682cd8b7804c63 |
| SHA512 | fb64750979727ddf3af53df23e135116a6cb491981cde9d054894da25628b4b437f2d52a61fd6f27ce5a3eeb107507dd4984cb35ca9f37edb6d82a45813672a6 |
\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2604-93-0x0000000002690000-0x0000000002A88000-memory.dmp
memory/2604-104-0x0000000002A90000-0x000000000337B000-memory.dmp
memory/2904-105-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/2604-107-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2632-108-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/1972-110-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1972-109-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/2304-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2304-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2604-117-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2868-118-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2124-119-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2632-120-0x0000000004490000-0x00000000044D0000-memory.dmp
memory/2868-121-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2304-122-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f81be07058935d224ab3843bff94fec0 |
| SHA1 | 1a7360901f8cb5017f7a41ca1a6984227b712b16 |
| SHA256 | 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c |
| SHA512 | 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e |
memory/1940-124-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1380-125-0x0000000003BA0000-0x0000000003BB6000-memory.dmp
memory/2304-126-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2604-131-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2604-132-0x0000000002A90000-0x000000000337B000-memory.dmp
memory/2400-133-0x000000013F4A0000-0x000000013FA41000-memory.dmp
memory/832-135-0x0000000002690000-0x0000000002A88000-memory.dmp
memory/2868-136-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A3C0.exe
| MD5 | 78d06ca1c226aae5ebcd5f57fa7933f8 |
| SHA1 | 33a26511c5bba5000377f8ec2f7aac8712d3a3c4 |
| SHA256 | 10fe273698848317681f6c43e79c2164933e4b5937a2c9be935c0bd3f1f69a95 |
| SHA512 | e8d92ba7fe31953abd70e03a4edd949a12115cd6d9816abc5d179626b1f043426ac3db854005753db3c8634510f7b04e4df02b4e952ac50946e9118a0328795e |
C:\Users\Admin\AppData\Local\Temp\A3C0.exe
| MD5 | 8fcca81a606b4d8e60552944a9769603 |
| SHA1 | 45debeaedca3763d8f7a215024e516c00b0f4da3 |
| SHA256 | 4be91c2b94cc383a042fe567ff41fb1a5da6072f98dcc1cadfce958e4f6a1ef5 |
| SHA512 | ce136c4d20c957da87c84234c521773c91a3ded5370e09e231d46fe443932b779789e723b24ce8e43a009fb479ef21e301266cc54a892d34163f234702cfdb40 |
memory/1940-144-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1060-145-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/1060-146-0x00000000002A0000-0x0000000000794000-memory.dmp
memory/1060-147-0x0000000004E80000-0x0000000004EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AD91.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2180-154-0x0000000000A20000-0x0000000000A5C000-memory.dmp
memory/2180-155-0x0000000074BB0000-0x000000007529E000-memory.dmp
memory/2180-156-0x0000000004960000-0x00000000049A0000-memory.dmp
memory/832-157-0x0000000002690000-0x0000000002A88000-memory.dmp
memory/2868-158-0x0000000000230000-0x0000000000231000-memory.dmp
memory/832-159-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 5aea1b8e8299dda8688663788d1bf770 |
| SHA1 | 3afb4c592f99b6a99de407532fef2831ab8a930f |
| SHA256 | e15b172d6fad36154885bdb3d1ae14d71d989d6ba515f6359096dd58816b4e19 |
| SHA512 | 140079927980d2c4d8bb90ca35596e25f164b8a42347ea2c39773356ad9f78d543370780545a5e1059a997b1b0d3f1caafd71d1ef30ff38494bd4a89b49d7573 |
\Windows\rss\csrss.exe
| MD5 | 9f5c71267bbc8cf4da4552b3015cba43 |
| SHA1 | 0a7515d566fbea860b0b92b487e0ec2a98903184 |
| SHA256 | 62a1e200d9cb189c4640d9ade6713781752ad248a2b36d892784b691c332c4dd |
| SHA512 | 5434030e43a3fef587b07014e2a73fa83ed826d7390b6981ab637b7e5d9931f406047f0fb16f4148da2346d87737340ca5873c33d9b18084b40cb6bbaf8e8d94 |
C:\Windows\rss\csrss.exe
| MD5 | 1443c35afa950f86e849dca2a9081678 |
| SHA1 | e393b037d5bc43ae4d6ab5ee7468359518a87eef |
| SHA256 | cbda4303a924161f7ca0ad9dfd7faf7ac98b5ef6e563808a036392489bbeb68b |
| SHA512 | 15fbe85e7d00a1f20754fecabb1c4d6855b387552f11df000f4225a981ac67804950bc1fae8c3c617eba86f862edbba18a818296e3a21066b1f4fb15c6c84997 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 18:55
Reported
2023-12-11 18:58
Platform
win10v2004-20231127-en
Max time kernel
49s
Max time network
77s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B1EB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F09B.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3188 wrote to memory of 4924 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B1EB.exe |
| PID 3188 wrote to memory of 4924 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B1EB.exe |
| PID 3188 wrote to memory of 4924 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B1EB.exe |
| PID 3188 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F09B.exe |
| PID 3188 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F09B.exe |
| PID 3188 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F09B.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe
"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
C:\Users\Admin\AppData\Local\Temp\F09B.exe
C:\Users\Admin\AppData\Local\Temp\F09B.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp" /SL5="$50120,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\1598.exe
C:\Users\Admin\AppData\Local\Temp\1598.exe
C:\Users\Admin\AppData\Local\Temp\19C0.exe
C:\Users\Admin\AppData\Local\Temp\19C0.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.6.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| US | 8.8.8.8:53 | 96.198.221.185.in-addr.arpa | udp |
Files
memory/4116-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3188-1-0x00000000033B0000-0x00000000033C6000-memory.dmp
memory/4116-4-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B1EB.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\F09B.exe
| MD5 | 61373d23292aed3f56c803f4afe5532b |
| SHA1 | 737f88128f30da60a0f733bf724d44363b154f77 |
| SHA256 | 6f081eb36e548e029153784ac1f26a76dcb8c43a1814be6458054ab459a842df |
| SHA512 | 1d21fd1db5c7f01fe7ded6a223b6f68b04a6c9b39b3b14b6c8618e1f4b34e882e531d5711f360eb014db4da892623f05f1d56cc754dd756c46a1b3e7e44adbd1 |
C:\Users\Admin\AppData\Local\Temp\F09B.exe
| MD5 | 1122f3e1f3ec4bdaf7c7dd1b63e1e2df |
| SHA1 | c19b0e4b53fbeead620e63cfb25c209f116dbeac |
| SHA256 | ad91d918d521e2baa52c2bf499aaa11aa088b5e7bd07a40e4042400467addcc5 |
| SHA512 | fc44bcd9bddf0f0668ee4e8449955637b3e73bfb0b86e4a2ec22cd21914271dc0a810e1577e52f17467ebe68c80813cc7c63c25cf211cf8373c9c92331f31038 |
memory/3028-16-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/3028-17-0x00000000004F0000-0x00000000019A6000-memory.dmp
memory/4924-19-0x0000000002C20000-0x0000000002C5C000-memory.dmp
memory/4924-24-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 55a76a2b0da9c3f5a3eaf64696e0cb07 |
| SHA1 | 10d21327682afb6ef84387b1fb9a40fc878a3aa1 |
| SHA256 | ebfefd557774941bc2516a909bb1c328df664fb9c693bc5cadfc1b5bb2ffcae2 |
| SHA512 | 2a26affc5c13304fb3de60bd9e9622ea8d115e463a31180c0f95f7a0b434a282f3914561a896c389c531f8bb0ed8870e2681260ecbd623babbf68aa912f5fadd |
memory/4924-32-0x0000000008190000-0x0000000008734000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6b1a159c7cf174ffc59e9683f20c60b5 |
| SHA1 | d8ea70530ffa1ecc063080bfebe2f8ca1bab44b6 |
| SHA256 | 0a46431b6fba57e2754a5cd19e2b95badecc162af04dcdf905ec0a4b81a90da9 |
| SHA512 | 419e54ca143bbb8029da9d91c583a960eb7c31039f1ffd8e0cd328124a3f97e585c7cae525a7d421455fb934a0fd90418a6983045d058f6d1d38617b04decbf6 |
memory/4924-35-0x0000000007CC0000-0x0000000007D52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 99645d4fb49d38ef42eda77a2f3b9d8f |
| SHA1 | 895a1c02cd5cf48652080c4fc8aaf26022e06bb9 |
| SHA256 | 9d3038c60204675dbc2fc9e0fd5f776eb7e2412d8720cb71c8fef872799b2601 |
| SHA512 | 035dd1910a13fcaa1b4911f5b9aa3c3fa3ab720f74ed8083ca3d2e6ccb2cf23707af9e8274696231e9d4d6650a0a6fc1e21140eb38fbfbf771e4f5f83321a1b8 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 5dd44d0509871eec95c758d40f525d79 |
| SHA1 | 73d493c6884b96f179180e5850d6334a7814c930 |
| SHA256 | fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282 |
| SHA512 | ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 9eb8cde9f6ad9cbcad827b1f7486532f |
| SHA1 | 812ee2df1b97e99f77f5dccfda705b3859bea51d |
| SHA256 | 0a1290fc84f4b2aff2770cc491a1bad42e351432402e0306ae860c0ad78c9614 |
| SHA512 | ae34d556348f94a0a4ae8c12188d159a7dc138ec46597256d41ddb97e82fb6ceddad13db8ed7433c4bd43f2da16f846df12a26bfab1157313b3ce57f1e371b4c |
memory/4924-44-0x0000000007E10000-0x0000000007E20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9890563f729fd6204fe444239ef96712 |
| SHA1 | 1e326dce79e8fbd7b3fbb58c42ee8cbd0f19b01c |
| SHA256 | 2cf2533ea3dc8865b0de7abb4e8e44feb0d3eb5964eed911adad73924331d4a5 |
| SHA512 | 54e3dd8913a6cbe1545476a861308505f05e75b5b0b9051ffeb04ac952378564a6385419db3f86d6a5130d292aab8ae9614fe253bd78db20402bb8ef12535e67 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 59d0b1da6248e22c448668eef019c82a |
| SHA1 | 61dc1313fc9c90a39a54ce248882f93d929b00fb |
| SHA256 | db5a2f1340e0394a0c5400f893a62f5f2f4b9d2fadd9a01c72322f235abe2d08 |
| SHA512 | 9204c6caf33d40afa12abeb14a35dec1d341ee3a8c196e4a8ae6b041af4c8d5560356f598a4c43d9adb46f6cc5150541149c534170076a2dcef80ca012ae40e8 |
memory/4924-55-0x0000000007D60000-0x0000000007D6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 98eff24d7fa8551dd0b43091ba9e863d |
| SHA1 | e8443f8d734e425c6251c69518552f0bcd1c22a9 |
| SHA256 | 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451 |
| SHA512 | 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5a31304a677945ee31c8cb9ba97cf79a |
| SHA1 | 1b24a39a7f040f637d43193e75ab02da16633cbb |
| SHA256 | 48222e715083ef96edbab914462e772086ae72cdb8b421000a0bcebda584be2a |
| SHA512 | e7d21fd12b87c82bb812908057387ebb0bbf3773771b232864705570ad3970153885599317501a4db1cba2fcbb87f168c396653376b9fb0ba45836aff8d0af55 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bb62eb5da4f2a9ab8434396d9752fdb0 |
| SHA1 | ad269614474763d1b6f1b39e51ff58b99bdd2e13 |
| SHA256 | 08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e |
| SHA512 | e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | ec84319ca2e52e8ddc444fdbcb1e4666 |
| SHA1 | fe7d89bae5c7c5bd8563b9dc4da9a52da2f4549c |
| SHA256 | 7b48e22bf0054e327336eeb35ea7dea0ece5db17ae5a3ed7e416f0e4db09ab4b |
| SHA512 | 22a1f636bd2cf22cdd807aa022088b7f84dca12b2b906cfc703db4438bf58eaaeea5bbb87f0e37ad578281bcc0f19812443303b2540eeaa7e43680921a787a54 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c6188926b380d45e3e384bcbfaf0798a |
| SHA1 | 864a0987a82e79a53f15df9e117a8e4cfdb7c6b0 |
| SHA256 | 52ce724f1df325548e1a0671790efae68ccd156efd5daeb8a464a1d11b04ae6e |
| SHA512 | 15028fc894d56308bcbe33d49506c4e8a01243811821b11fb9eb900b3b23ba5bafde77c8c36651cbd020692978b53c29975225393feae6634285c303eb4747bf |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | ef2ca2474315d4eba957c6bd2b031cc2 |
| SHA1 | b3bbc9e287cb3030170d2c3e726498d23cf729f5 |
| SHA256 | 4f0484833fe42498719df309016e656332af9875bed05309c911a52faab233ff |
| SHA512 | 8c4463596876a5ef5d011f3e01544652bff573f43d585b982711b008e7d3a4a4c3bb6a5238317f0dfff711d51e1499bb0e270dd15bd32ecc6bdbb96e7d64b36c |
memory/4812-70-0x0000000002930000-0x0000000002931000-memory.dmp
memory/3484-69-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4924-75-0x00000000090A0000-0x00000000096B8000-memory.dmp
memory/4924-84-0x000000000AA30000-0x000000000AA42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e0cf3db8ce083736035ed1429dded0c6 |
| SHA1 | 10b784cf8218a50b6f6631098b1f165dafbc570a |
| SHA256 | 418bef91323d482fc5aec7341403102209523c028e141baf4a67fcc83e861de2 |
| SHA512 | 437aa3b3d8ef28020c6dc0494386bd8ad23945d6fe65c7eb4f0b8df18a2cbf6a61462ab67dbf5f5d005d59883b52f528acd3a31ffc939cabdc21fae56d1b0967 |
C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp
| MD5 | c92eb06a2c0616bdf739a70b1427b0f0 |
| SHA1 | 3657c0f2e2ebf65d95469e93ad781516e6b808ef |
| SHA256 | 0551438a2f2a917e628bfc212473dafb78edcabd6188389dd485be69437f3e03 |
| SHA512 | e23e7499c7959b8cda5c12f888aecc1d08556163280b603998e2ac8dfb268c2d721e5280b977b2d9afcb2312706ec98bfbd490d9a22bc7bb0a8620db19e53327 |
memory/4924-79-0x000000000AB00000-0x000000000AC0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp
| MD5 | 1a327de070fc16c88d3c369cf9314bf5 |
| SHA1 | a53c32f679db313d44ec8dddc18b016a3ad89da0 |
| SHA256 | b9a0db5eedba426c889821ffccaf602603a437ebde43341cb2f64565e37903f9 |
| SHA512 | aff71beaae966666f24622a43ba21de49718006bd930df29d2b8dfacdfb26cb01bbe3ef69a0b916da978ab0d29615f1c804528a4e6491141e1161e561ac0f243 |
memory/4924-85-0x0000000008C10000-0x0000000008C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UTTGH.tmp\_isetup\_iscrypt.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4932-115-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | cb8589780ed4eec49ce86fe0ca6812df |
| SHA1 | 3c267b05846411a2b10fdd2cc5b00cea8c0379e9 |
| SHA256 | 2146a3ddbf475225fd03d435a21b61d585544f6d1dca1e18f9e81905f1b77b3a |
| SHA512 | 97c1aa495c9c1fec778b1c976ecdc88799801b13fcf35ff26fdb8cd249b706c7a152b2bde8747066977b192732c376a2672042722445b163e7744b2cd8d23d18 |
memory/4924-159-0x0000000008C50000-0x0000000008C9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UTTGH.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/3028-229-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 15a0dda351f35636385497a7c32e84c8 |
| SHA1 | 5007367936d3c411df6b83a68e64096d45a9bba0 |
| SHA256 | b190ff05a520cba2b5e83b5601ad00fbc2a5d05787e52e6d11527cb3c3c1076f |
| SHA512 | 6ed427e710eaf4b594dcaa2507f281b57a938d554d89edf3f0389d8c619777907d83587cfb40d9cc5c86db178ea648fb7d3f3e436076e9ecfd246b1edb3df406 |
memory/2084-234-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 53258ca3c2c1806217f2a74a5e3efa98 |
| SHA1 | 7cb56064f993331162718a41fbd24e0aaaf2fd72 |
| SHA256 | e0146be4280a95bd883a2b94c2a1e7dec70659e4ac72d4adccc79e5f1564e372 |
| SHA512 | d9dec66adae672c4a6da27172bb0bf58f7d5ffca01f33a572993b71c21d60e41442a042d348dd0d69546b30c98e9ff456db90a30d6d36ff029f2cbe124aa1f8b |
memory/2084-238-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2084-235-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4364-241-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 1f41e68cfaba2605bb3d22f9d2dbffc9 |
| SHA1 | b88473492b0ba6699a3eb1b5bc78f3fdaa435a64 |
| SHA256 | 42554a216c5a6004b4aa3bda996148bb87cb9ccc16c6544c42b631f5be729c7e |
| SHA512 | 85b54df76e4f297535716ed9ee4f1315a3a5d5837838458fee83da4bec1cceb41a9863d24c163192d22464e42a61fd4fb3303cf87bd50777601fae4642fd304b |
memory/4364-243-0x0000000000400000-0x0000000000785000-memory.dmp
memory/820-248-0x0000000002A00000-0x0000000002E03000-memory.dmp
memory/820-251-0x0000000002E10000-0x00000000036FB000-memory.dmp
memory/3860-252-0x00000000005A0000-0x0000000000A94000-memory.dmp
memory/820-253-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1598.exe
| MD5 | d078895fbe1120409ac4670b293f8c76 |
| SHA1 | 5e398cf5a2d357663f932f03527d0d82b6374cea |
| SHA256 | b9ce67e1a5272cb32387114ce7af01596bee018472ac6531c50e14542c0991f1 |
| SHA512 | 1b15b5e7b7bab4e828d5567d69699114427b85a29102857e7c0873385f1a11e2b150c7bad57b03d1bafb8fa59f309728e17cc0b40701a8636e49258619129b3d |
memory/4924-254-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/3860-255-0x00000000055B0000-0x000000000564C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1598.exe
| MD5 | dd0d2808eac8d10eee37ff74fafe76e3 |
| SHA1 | 22592377b87d71d705742fc361e1375beedf64e7 |
| SHA256 | 1e2f298dc66f4349c7428a2b613e9f0e704e5981d57a92eb8466c045a11af488 |
| SHA512 | aef349116b20978beac1f1b14873a3be42026eabf1bbb308065aa80db37c3bb68718081757bb6d08b170841bba5b4d076a91d2caa5c0eef4a9343b0fba65fbbe |
memory/3860-256-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/4924-257-0x0000000007E10000-0x0000000007E20000-memory.dmp
memory/4812-262-0x0000000002930000-0x0000000002931000-memory.dmp
memory/1364-264-0x00000000005D0000-0x000000000060C000-memory.dmp
memory/1364-268-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/5084-269-0x0000000000860000-0x0000000000869000-memory.dmp
memory/2432-270-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2987c50bafba384b02797e86facd5a73 |
| SHA1 | 7ad70c88c1b9c24147ee884dbeece0fc774af3e0 |
| SHA256 | 73fc8f0f66165ac5f2eb5e3be46150dcc560279c9226d89c27b64b8647675a03 |
| SHA512 | 51e875a9f78ace4d334d111764f5fffe5ac32ba1c82cc6b1ddb3d1875526e081e0e6f83b2e8e3101ee7fe57e268f15c0e397602c0e249bd0bf3cc74a5d0f4ffc |
memory/1364-271-0x00000000075D0000-0x00000000075E0000-memory.dmp
memory/5084-267-0x0000000000968000-0x000000000097B000-memory.dmp
memory/2432-265-0x0000000000400000-0x0000000000409000-memory.dmp