Malware Analysis Report

2024-10-18 23:12

Sample ID 231211-agllwshcb5
Target 11ba26c3e43e06c31802a613807bc0aa.exe
SHA256 8fa6f659cc7a07a1769348ce2cea171dd5d9877f26167bae676a951a9275c87a
Tags
smokeloader redline livetraffic backdoor infostealer spyware stealer trojan eternity @oleh_ps up3 discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fa6f659cc7a07a1769348ce2cea171dd5d9877f26167bae676a951a9275c87a

Threat Level: Known bad

The file 11ba26c3e43e06c31802a613807bc0aa.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic backdoor infostealer spyware stealer trojan eternity @oleh_ps up3 discovery

Smokeloader family

RedLine

Eternity

SmokeLoader

RedLine payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Runs net.exe

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 00:11

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 00:11

Reported

2023-12-11 00:13

Platform

win7-20231201-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6900.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6900.exe
PID 1196 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6900.exe
PID 1196 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6900.exe
PID 1196 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6900.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe

"C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe"

C:\Users\Admin\AppData\Local\Temp\6900.exe

C:\Users\Admin\AppData\Local\Temp\6900.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp

Files

memory/3056-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3056-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1196-1-0x00000000025C0000-0x00000000025D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6900.exe

MD5 91ae5a610a79fa0ad62a8d875b12e8a9
SHA1 1423999646545c24d3e5f3f0457a77775fa13833
SHA256 5f18d389b975280ea0f8e402bc42c8e19646858c4b534a9de31287a16a5c896a
SHA512 da96d2830b041d53a0354f7baa7fb86ab3e98eb1126bd7d4d7e4f2c7f0f00cce4a392375619c7542049da1f0ba784db4c8735db658514d40ae05553ef7277930

memory/2800-12-0x0000000000260000-0x000000000029C000-memory.dmp

memory/2800-17-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2800-18-0x0000000007670000-0x00000000076B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6900.exe

MD5 dc0a9d35e3c7128e74bae6068f91487d
SHA1 20b9cb4776d87e6e22e2709443fe8cf50ab74768
SHA256 79daa04610c776290d5d5690ab903a3e5c3e9a4c2cfb66800ba03817abb2857c
SHA512 41bfc1c863e7769415e9a0fd031aea939b03623e8f90c7f0d119c2d6423eeb82767c9cc22ac5ff94ca688aa8b58ce13c876c923bbeedf6c6c7ea47fa40fbd196

memory/2800-21-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2800-22-0x0000000007670000-0x00000000076B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 00:11

Reported

2023-12-11 00:13

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe"

Signatures

Eternity

eternity

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE4A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A3D8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DE4A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3208 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE4A.exe
PID 3208 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE4A.exe
PID 3208 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE4A.exe
PID 3208 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\A3D8.exe
PID 3208 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\A3D8.exe
PID 3208 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\A3D8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe

"C:\Users\Admin\AppData\Local\Temp\11ba26c3e43e06c31802a613807bc0aa.exe"

C:\Users\Admin\AppData\Local\Temp\DE4A.exe

C:\Users\Admin\AppData\Local\Temp\DE4A.exe

C:\Users\Admin\AppData\Local\Temp\A3D8.exe

C:\Users\Admin\AppData\Local\Temp\A3D8.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\A84E.exe

C:\Users\Admin\AppData\Local\Temp\A84E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\AD70.exe

C:\Users\Admin\AppData\Local\Temp\AD70.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-TRNB2.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TRNB2.tmp\tuc3.tmp" /SL5="$D020E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp

Files

memory/3000-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3208-1-0x0000000002810000-0x0000000002826000-memory.dmp

memory/3000-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE4A.exe

MD5 6eedccb460d6f8cb569b6e2bc4430061
SHA1 9f55252c39771cb1ab8482cae0e78be3248b0c87
SHA256 52ad7be8e6bf72521876dfbaa231cd09859345f4fc5e9587d5993dee55326d66
SHA512 a5b9ac52e7108acb8759dbd0a5d0347fee7080d9740be55fcc91cf7e63904aeab8913fc8729c670d3f1e219a0d23a870207394dad082e583c562e1af89220d7b

C:\Users\Admin\AppData\Local\Temp\DE4A.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/4448-12-0x0000000002C00000-0x0000000002C3C000-memory.dmp

memory/4448-17-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/4448-18-0x0000000008140000-0x00000000086E4000-memory.dmp

memory/4448-19-0x0000000007C30000-0x0000000007CC2000-memory.dmp

memory/4448-20-0x0000000007D90000-0x0000000007DA0000-memory.dmp

memory/4448-21-0x0000000007C10000-0x0000000007C1A000-memory.dmp

memory/4448-23-0x0000000009260000-0x0000000009878000-memory.dmp

memory/4448-24-0x000000000ABF0000-0x000000000ACFA000-memory.dmp

memory/4448-25-0x0000000009240000-0x0000000009252000-memory.dmp

memory/4448-26-0x000000000AB20000-0x000000000AB5C000-memory.dmp

memory/4448-27-0x000000000AB60000-0x000000000ABAC000-memory.dmp

memory/4448-28-0x000000000B830000-0x000000000B896000-memory.dmp

memory/4448-29-0x000000000BC70000-0x000000000BE32000-memory.dmp

memory/4448-30-0x000000000C370000-0x000000000C89C000-memory.dmp

memory/4448-31-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/4448-32-0x0000000007D90000-0x0000000007DA0000-memory.dmp

memory/4448-33-0x0000000007D90000-0x0000000007DA0000-memory.dmp

memory/4448-34-0x0000000006280000-0x00000000062D0000-memory.dmp

memory/4448-37-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3D8.exe

MD5 df52f0b4db2d16d35fadcbdbaab39f92
SHA1 44845bb9c8d125150e51e9554fd9496e65564abb
SHA256 da353b2c4fb82f27768721ab425bf1d0bf12a4ba1b60718c8d8cdc779bffa625
SHA512 859cdda40b0548884924a7136abf389f5d893e1f0a5412581a27ff5bf9efb0619e35c887ac656b957e40a5fa839a9e791563aafe68877b10a620e3cd26be3845

C:\Users\Admin\AppData\Local\Temp\A3D8.exe

MD5 19b7fd4bbba592725f274ebc018d9933
SHA1 a08a15253b4d0ccb182f2a97dd2eaf2a77f413e5
SHA256 2a60d5554a61c6eb169ba01cfb86b45de96ef44eea76a174a5b9bd05d0d4d701
SHA512 9f1ea0df30002866f47708f774b063afde662e453637b958f9171a007f2f99aba6fd5f49906c2e06d36c8859971eb7837bddd23a4415999f3f3236d2b78d6e1a

memory/2196-42-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2196-43-0x0000000000920000-0x0000000001DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 50d30cb3633b8d35d24e71baefda075d
SHA1 fc8e67323ef523044e3bda270e8ea6979cbe16e0
SHA256 14b4440eaaf02b794803146071bc5230b42feb37580991e9ac2910eb9f332cc5
SHA512 9e9c262bdc9f97a76988e2e0e490d7a99253ebf8b679f8bc4642df4cc86d3851a96a5480a4cedc536d8ba59fafe27018a523d845522d5fa51cbf0d44e172bf93

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 fd1440a5af1092e740fabde4a5f18125
SHA1 0264ed3ad54ca99197490a2e766ef62fd982f1cb
SHA256 4385470ce03a541dc396f7de3159badd17283cafa0f2f21d63156bee2ed9cbc5
SHA512 ff88df10591188f2e02a194007701c37d42b2f713e0edfe4b7861a4ae55c333553fdd83bd354829e4633fe2f43e16bcc519966b5d2f0cff43dccca83dd53a239

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3cb46ae3a68be3299a011133c665d573
SHA1 48ce8be35f9a54d718d3bbdb2048212101ba95ad
SHA256 220900bd5137d40bef0a2959abac0909ccb89d35ed7d48fbc9a81091a0099e9b
SHA512 43f73651cdffb6b0f8116afb5f26053747032df86be3bb2917d0cc987801b09000ccf634d6047aaa875b5b7c381f9e9480f9dadeea4c0372233b57632e0e8729

C:\Users\Admin\AppData\Local\Temp\A84E.exe

MD5 5c490fa0f3ba538c938a86c870ca275c
SHA1 c2fac036147c155660011b1fd1ff0f7e16692406
SHA256 d061632bf1980646948683f43aa7ac2c3cdf1a7394e1861e478e3c10958661c6
SHA512 c28b20f793961255b08051d4e7315136c1f6210ca01788aa404ec2bfa24d2eea71c08f96f2b8137e11fb16143a19324a5669db0ae7206a602bdb4e22d6c00e73

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0afd29b928418e48de93ad4cd299d9e9
SHA1 464949aeb08839bbc5c9bba1e65bcaf18e1763ea
SHA256 29680de75e55d9b01e021bb387065d3085d0ee422d8ad2d53cd38074b98276c8
SHA512 a2b9683cc2450449874617fcc36af6779fe3e8bcdffa7c1f31be0189dbaeb1597330a5996dfd40a46e54dd6fe1ec162fe37160858941d41b518b7325e0ac212f

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3aae4dc685047f9e1a7f619474260b76
SHA1 caf70c68aa2a6b8c657ba4def65c192379db2407
SHA256 05a05f135d1c450f8e570d792e74ce494fab6a65ce83969a5788495cc548dfcf
SHA512 37f855a8d0d0717bd82849f920e727844cdbc77455f0b56c720cf183dceea51c71a6905c97f4605ab3e31da50fa15aa67a3dcbcdbddb8ef7972dd12973b6058c

memory/676-79-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d6cf82b4f03a7e847420593018ec8ff7
SHA1 df87b6dbca8ab5ab11b8c20b2eb4d25915bcb824
SHA256 027d03ceff60d7918b6cc3ba9bd02e2bb90e0f613444151d7e7bcb8d5b4167db
SHA512 cd4a13a14c669ea033ebd4c27346ca8b9e7e269c81a7e4fdadb1f28443c49848ca89d6e33495b7e580a19e42673cd3a92a3dcc33760999620f4f6b8fd44253f5

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d9a8362356a7a218ff22d90fb9529cdb
SHA1 6e2db4a5531065a69bdd20d13cd298019d1933d4
SHA256 f8615b42dc8629c96e92b8468a16483e53298a810866fa173d47cf8d61fa4f24
SHA512 0f0dfb0cb657798981e2a1bf9ab2148baf1e2c4df92c56a27574b3f2d48e7f411b33020d569021c47d50553314f36aeb89397518198155ae1027d3a25e350637

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 f4308635efb94b662fd20e277d6bb47e
SHA1 c892fe699537f64a95cd28e1260969a9178dafb8
SHA256 f88779e8f1b469739857ed548e62ffbaee3bc6941d8a9d5df336b71197d5eb5c
SHA512 1a943b8e41acf4c28f8c80d6d304851a689e5b367842001f092751dab6efbea4592beda72a534e41f77b06ed09b349f7f5e96dd5e9ffd85844b796399cf8fddc

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 369653588000d2579a6105f4d5b33560
SHA1 ab0619d514573831c0ffc047f2850e256b72d841
SHA256 21672ae53b147dcb62d54820fa738f06fc64f22ccc8c49954a8de2deaf26eab9
SHA512 bde7563e80f2f54990b0c20a44d680eab245990e5a009344776731c74c7dd5018046b89598bd39cddd4b4001d926dda6b38c2270d5991c71687e8d2c9f34f14d

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 578c8ca07a0040736c723f755332cff4
SHA1 bbe1448e51cfc66c6dc3dbdbf91a8910eec4fce6
SHA256 319b350cbcbfaac2d306ff8d9c60816ce823e2eb450d0a254b53a453ce223fb5
SHA512 28147a47499d0306e723cb596418e25408e62991284f6f26c6bcbe64b117fcf3b8caac3da30c42f53890fcf1567119ec9dc9764238b30a46a0423850596aae83

C:\Users\Admin\AppData\Local\Temp\AD70.exe

MD5 69f4c516d9473377d6b601ff248e6036
SHA1 2c4645d5fa8a97993ef0c6dd1dd8d1d0c3c546da
SHA256 881cde07f8aec7d0acdd77a98226c4ea73485d51e134501c60db0f47bf9f5016
SHA512 d8b274619a0f9409cdf9f80ecda8d45953d2f9e750861c26d39b059306b6631a785f328ba0fa629ca38d8dbbe5ad5be8bab61d72c0c51039d969758e92feee62

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 14f610e5af5af122033d5b983116c714
SHA1 aef15f14fdd26543dd8ac2ca882d5b55fec72803
SHA256 33a4bc8d97b12f1f4ec7732a3797dc480bb4914c215a8791c8ed84b237e29684
SHA512 20d61e2d00f3a2623d3eaf53d5b9f0af876522c8ac5bc78705e384ba356ad2b5ad465a083c3a9fac22b91013202e0e3631c06be57627a061fc13c25627f55451

memory/676-112-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2432-115-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2196-116-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2432-117-0x0000000000E10000-0x0000000000E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 66145dc51cc59af6a82bbfa7760d1ca6
SHA1 88f311b46eeab28744941c4fc7751efe2990bfb6
SHA256 243aa244fd1a61ff7733e22e7b3d8a19cbf7e3ca8c266c1e82d54e4ccd88e770
SHA512 760d692e1e3bff6a3c69413a5eaf7e4b8a237a59fe81c1b6f17592a0820ebf607eefec2b003b6c078dccbefe26181044d2107d9370aeef383bec329d26235591

C:\Users\Admin\AppData\Local\Temp\AD70.exe

MD5 5973b3e5fad73d486c64df79d01719ee
SHA1 600ca30e6879554649b3b86c79be1b4548e63741
SHA256 0caaee449f0a44a895ff25c4cd18432de4a4e32c889ec5df0f8399892c431c33
SHA512 6e0411c2db9017384d3e6c4496ea08599defeff93400dc1febdc201b047d3c8c0e0c781579fc69275d5a0e2091ad065e15c06ca632d3ab986d3be52fdec8b8ed

C:\Users\Admin\AppData\Local\Temp\is-P71A3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-P71A3.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2432-134-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/1836-123-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TRNB2.tmp\tuc3.tmp

MD5 963c52ebb9d43063a8331614c4ff76f0
SHA1 a21491fe10e91068d8b1a91f47bc6bf3a86ac802
SHA256 87be65177e223b0d90f054410c2b6b7d50bfb7324b6730494ac91929d0f3290b
SHA512 946c4549e1d6df12cbc6404185a39b1ba37ee0a52c27df21ac6955416fad35672ca40ec93c2146d585898e7dbb2d10941b0dcc4ca5020f407cec06961713f6a5

C:\Users\Admin\AppData\Local\Temp\is-TRNB2.tmp\tuc3.tmp

MD5 1a6f062ae534597339f650a34bf52e30
SHA1 23f7502710621d2a84338d41eb98bc445279e433
SHA256 537b4b676d1cfcb8a1a5434b5b20ce0f395e0bfce29abe2bbbc11e32da739d6e
SHA512 f81ee7bc3e5f84976ab9adae1ef3f3278a2d5217823d09c25f44499d6ec16e5dfbb01e1bce3b89cf27317fed2828e0fb3fbfafb68ca44b197d95ac1407f7b8d9

memory/2432-256-0x0000000008040000-0x000000000808C000-memory.dmp

memory/4244-99-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1576-95-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 bcf8563a38df967fa7274f721464bd62
SHA1 17fd7caa27dfc8a7800aeb7cb84d127cc0146ab4
SHA256 95b72796fca4ee1ca9fa40af89009d426c29fb98c8372e5177c604fda8fb4b10
SHA512 903ff2ff8b69d14a60231d6b19edff8e50597ece160de220b0a85d6365839c7b0bb178ea4f3d9f2a297688542a82176faff9f2b2217b6406534cc4b59bc8bd61

memory/3144-267-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3144-268-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 ac06df15dbbccdf2984243575eeb8702
SHA1 f82de3e7eae9c7fc3b82380d0e01c6636f232f93
SHA256 009654c292d1b1e2ebc896288ac523cef74fb1bf6a26c1830165782f793d0281
SHA512 bdd02bcb153dbc0794936bd22c65b6b2913c1f07d4e3a4a40a5d3c670fcaffec0179dafcc7da0a2b8b89914a98d852ff3092e5b18cb38fc2564398f9083edd04

memory/2544-271-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 4b01916f39e56a7f6fb8fbcc260d12e5
SHA1 c031e3e405771bba7886ca93f3e8e765c94fbdaf
SHA256 da610d31fa60364d0c8a5653a158e42eb5b8568e60e37c7c12bf27813c865c69
SHA512 8ea113e554bca66634f220c119c40879125a46e7bc908d271dcf1408fa2aded4892f41b700896eb131c92abe93b382188cd7867795974915c87eb33611d0727c

memory/2544-273-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3144-264-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3144-263-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7a88be227cc30420ca57f41806708eb8
SHA1 c3e5853f982168258e9acc19e207ba8d060eb1dc
SHA256 edba7659e72bd4701311d3ecb787bf277074959dad31602c41377727ff9cbf62
SHA512 b4b0a241d43d16c77b069de058c181206302cea626bfae7ffe0ca2157a800a15bbf71b82e1dfc8c1505a6e448eebb3d264fded540ea9107e1c540220468c30b0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 821eb513968019ff160b17f1be8214bd
SHA1 b7f863706bbe08ba5c1918a28125ec4168c874a4
SHA256 9c2acce9dd73e546c6fdf42fb370f09a1d31b40d3bbd84f31efa6de736882596
SHA512 8b547d7e267b0f2eaa7b9137e2490f8fa7e3eda95d7392fbcd29b55bd21470e790349626dcac3d25774eaea1315c38f4dcecee3fa322cd6ba6d82a430706d04d

memory/676-69-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\A84E.exe

MD5 0de1d0372e15bbfeded7fb418e8c00ae
SHA1 6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1
SHA256 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
SHA512 7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

memory/1620-275-0x0000000002A10000-0x0000000002E11000-memory.dmp

memory/1576-276-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4244-278-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1620-277-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1620-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6ae428089fda6edf4a91b9a1a5033ac1
SHA1 0e1b2ef30fa6b0135f4ea70831aea14ce8d03c21
SHA256 ca279c489014a68a10b6d64069ca36d3e3f3147f2a5978480dec60b841ae2de4
SHA512 8581eb9f27709d20dffa38aa8641d8f3279f637843ea9152b5740770f5949b1d885ae7ea5a881e264148eda28223e2147dfcfc06d14a32b6a01204ba3c9ebe36

memory/1044-286-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1836-285-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2796-284-0x00000000023E0000-0x00000000023E9000-memory.dmp

memory/2796-283-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/2432-281-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1044-280-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-287-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/3840-288-0x0000000002FD0000-0x0000000003006000-memory.dmp

memory/3840-289-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/3840-290-0x0000000005230000-0x0000000005240000-memory.dmp

memory/3840-291-0x0000000005870000-0x0000000005E98000-memory.dmp

memory/3840-292-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/3840-293-0x0000000005700000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gyv5va5.cm2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3840-303-0x0000000006110000-0x0000000006464000-memory.dmp

memory/3840-304-0x00000000065E0000-0x00000000065FE000-memory.dmp