Malware Analysis Report

2024-10-18 23:12

Sample ID 231211-aqv7pagbhp
Target 0x0009000000015f2f-118.dat
SHA256 4f88c75a87294206a034625faefc4330b00a7d179f34dc7f67c053277b8d2f35
Tags
smokeloader eternity redline @oleh_ps livetraffic up3 backdoor discovery infostealer spyware stealer trojan glupteba dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f88c75a87294206a034625faefc4330b00a7d179f34dc7f67c053277b8d2f35

Threat Level: Known bad

The file 0x0009000000015f2f-118.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader eternity redline @oleh_ps livetraffic up3 backdoor discovery infostealer spyware stealer trojan glupteba dropper loader

RedLine

RedLine payload

Smokeloader family

Eternity

Glupteba

Glupteba payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Uses Task Scheduler COM API

Runs ping.exe

Checks SCSI registry key(s)

Runs net.exe

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 00:25

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 00:25

Reported

2023-12-11 00:28

Platform

win7-20231201-en

Max time kernel

62s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe"

Signatures

Eternity

eternity

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe
PID 1204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe
PID 1204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe
PID 1204 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A02.exe
PID 1204 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A9.exe
PID 1204 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A9.exe
PID 1204 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A9.exe
PID 1204 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7A9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe"

C:\Users\Admin\AppData\Local\Temp\5A02.exe

C:\Users\Admin\AppData\Local\Temp\5A02.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\FA48.exe

C:\Users\Admin\AppData\Local\Temp\FA48.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\2D1.exe

C:\Users\Admin\AppData\Local\Temp\2D1.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\F7A9.exe

C:\Users\Admin\AppData\Local\Temp\F7A9.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\2D0D.exe

C:\Users\Admin\AppData\Local\Temp\2D0D.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\3D34.exe

C:\Users\Admin\AppData\Local\Temp\3D34.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp

Files

memory/2516-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2516-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1204-1-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A02.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2304-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/2304-17-0x0000000074D20000-0x000000007540E000-memory.dmp

memory/2304-18-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2304-21-0x0000000074D20000-0x000000007540E000-memory.dmp

memory/2304-23-0x0000000074D20000-0x000000007540E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7A9.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1816-30-0x0000000001310000-0x00000000027C6000-memory.dmp

memory/1816-29-0x0000000074CF0000-0x00000000753DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7A9.exe

MD5 123eba48fab4bcbc9947bf6a6410c960
SHA1 fad19eca55ed813fb6a719edbb98fe1179c6321c
SHA256 665857a294e4b86ed70d4abf33832fd0ec008256f33f36d23d5d0d2359fe9fd2
SHA512 dbd8010d6ad551fda19eda04769170c7164586eb0ac715a35d898853ffb9db39f0cdcb3dc1fb2bed2442530acb4e944f135a8db3a71761084c9b507debf4da7d

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 0ffdbb78536d6a9890988019d979c4b7
SHA1 060aefc0c09e14b00d7abfcf5d237c3da42e042d
SHA256 0a6c186491652f7bc4ebe31a1bde6c4f3798c6dd3e00e76d60c9cc01548ddb6d
SHA512 976ec591c57bc4c3f1adb574988d181107674df14e4007b5f3451eaf2000cd802abec9252752496abe9c9a55770673a732b27117f5d5f8bf8d9314cec449b560

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c71667afdd46b0ec9f05dafda76d305a
SHA1 7aa2fa2e7e82a9ff84d9a7cda1e3445b24e80d30
SHA256 84abf57f063f284e53eb057071ce2cddc78a9e3de94e3ce6e2a3e04c1b6c6b9b
SHA512 45aca3f3aebc3076c1e2a092353be73ef4ebb6634f96b995e51033970d6a55b6667828257a209d241840e7667afc916fc8b3283431b953465a634e2a62a154ae

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f3b30216803e2381738776720f106a70
SHA1 6a4ee4852772ffdd8916902c71fb760945a3a39c
SHA256 cdc68a75211b2d9b65cc9bf85661e7f7c3a1644f35ee619a7ceb7ebe2177022b
SHA512 18a95e9fb43f9413eb302f2efb1bcba6a804f8c610bfdef8273a8105b5ab9c73cd4888f4f540c79900c38a4aa833a86c41ae35a3fa7d0154600bfe3d229a5296

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 2becbd670f759362ff04ec3b4e7b3861
SHA1 efb12036664168a6ddaf7da7510589e8a2208aba
SHA256 f05a335e0550639bcc33ae34861fcdde30da40889ff82535f0ffbfaf5c6af6ce
SHA512 0517ba3519ad528d5bf547dc145bcf24254faeab637dc4746e92930d1def0783f6012d052c42d7d9735e2633e944c5326d6f5aff63cf71a1f9b5c71c4dba4306

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 99c4b8d35b9445e13c8caaab25678a3c
SHA1 e49a00bde179a8f5594b3a483bb88ec3397c4d28
SHA256 1aae9b0279e6ffdcb33e3e56f2c2496d852e4bea69c94814f35e0ee010064e8c
SHA512 d87202734a197b4311b69043c78601d5d5b5d05700c980be2f82980edc66e471b5b252f5beb9e8d0beac830dbb2aa96efa78dc316918b8e462c2fcbaebd06c41

C:\Users\Admin\AppData\Local\Temp\FA48.exe

MD5 5d973a00f0736f80936ddd1cb84c5635
SHA1 a254045995dc534325c1b3c60d4e8a90cb369569
SHA256 fd4efd4fbfcc33e87ae15af54035b823d84e5e1fbee27aefd77b6e8120a160e4
SHA512 d623dd743f08815c630335d420fa626d609abb938c621276e583fef9298f59c98516f35dc16a1958709efb906014917ab7cee741b74c7680d9189beb70d57db9

C:\Users\Admin\AppData\Local\Temp\FA48.exe

MD5 eeb1a11ddabb4751df66f8798f776c99
SHA1 7d45714a351caad0c4a97657adedeb5b1962022e
SHA256 ce0fd011ad5e4bad9e454142188f710a71a71454e465dbea32100c16bc808612
SHA512 3dae5c6a26c8e3c0a03b2c3929a2546798ab8e1cef63e18263d20ad3e51885c97ee7407969b3c061c44154a55aa5fc7840ca7f4046dd83dd61e8d7970ad01aab

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 380c7597f473ee7806f3ecef786976cb
SHA1 83e4c25c37686e65afa5aee8cd5d33da485c7dd9
SHA256 55a88478695160737f1010c0d146ef46ccb1eee83d648eb772ea70d961240913
SHA512 c70e041d6a94e08104855dc80202859976ba94f077afb9341b9a0f24856c343dae5e6d57b9e344c4c992f09880720902afb13fedbad583623452b16857643c9c

memory/2328-74-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2268-77-0x0000000002710000-0x0000000002B08000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 5914f857ff54270d14ef106a1bc7c97b
SHA1 e1fd60dfeea5c69595cf0f587a1755def7810b15
SHA256 97ef9a6ae95c698a5d68d622899d79d738b2970b7895af6e1bea80d867ee30b3
SHA512 215fe9b6da60ab9c4ee4a260b0ef161ed76919586554fbc683f7e306cc0b9776c208a23cd06fcbfea597fed364b728c1a370d1690e872570b2f3887790a15fd5

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 1904cce3e56f02f712044e42015b4e07
SHA1 87adab97010cae918b4aa5ffc4764e5a7ea807a6
SHA256 a4d5b28397be1757bd8f4e5c8cda13017c2f9cfdca48584f135280d82f19bab7
SHA512 925b277115d62ad01502b96e87213ad80a3652232274ceeafbfe05805ae3163cbb865a6f6f8951f4e3792a001bccdad4d78e67c311ce97bee9f8c1c47450b23d

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 163b11c72a9b41802b16d6234002f8db
SHA1 68eb924d9821bf75607972c96cf78e2e34e5939d
SHA256 33dfabcd98539cdd7c9cb0a7b1f6646eba98e366e16b9a569dd2228d1987ff51
SHA512 9add674f2dfc567978e133f46825e18d31fc41ada42d97ef1c7b9c128a57a5054a09164350f43000dc3d0f7ccd2998ccb615b61aeb4684d61b1053cf8518b033

memory/1660-72-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e9ad100185218c9d8d07478f1ade00f2
SHA1 d3248f4f7209628f2b49cf1d2ba5e2a36d820fea
SHA256 3cc9f4b6bb4afd6a998b9be024578bb6444d261a5e667c320cf2b90d47876051
SHA512 729555a9a7d913af29bbd8ae5bcd4ac6b6489e6229fd611029ba9c59acfbbae70b1ff9f76d8b3866e7c2dd7c5472c77edd6461b59b2983085a76fa8862bd9c8c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 20586c4c3baf146b8484698b1819029b
SHA1 2ff07e80231dec3199c9e8b54563f635e30790c7
SHA256 e3fa053c3234bbf2f3cd9883e5c951bb8b5a1923abb26f291769e267eb846d79
SHA512 b5cf7c6e52043af50d3d698769fffc5472548881854065790b4804d614fa35b9c8d4701c5388b1d6c0044387041977d4b1c3c34be5c128cf8029f1ac94c6a282

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b0a42c16458c2f82fffe816d39e73336
SHA1 1a0aa00711534ad3651d92bd1df5b83b77736763
SHA256 d4d4c046dc8b500031a2afcfb5176a56e669a4bc4db43ddb9171b9bff2669734
SHA512 8d17067a5eb94f3f6c09ecc25cffa2e338e4d13b99a83ad4f7e3cd1e5e52b4e6ab7890e54b6983def07f8240691766c9f27dcd45a68709291a6484503d3e758b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2bf6c9da94bd085cec5d18aa3f15acde
SHA1 2219e8f6d5081add96ddd4feb1e2eb590db83dac
SHA256 a41ff41f4e6ac4ca44b2220b06aeb34199a93905824d591b12d62a3db3d3055b
SHA512 ea0a39288ecb2efe9ff7f5af58c0af36a70f66341eb3c0809e6bba7663f4c6af8b2e6b89e889c473fa977d3465aa6d3030c341ae1ce2e25ec0e9069059f11fae

memory/1816-83-0x0000000074CF0000-0x00000000753DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D1.exe

MD5 274800ee3e3f965406a7727746c628c4
SHA1 d033088f00280e7d1d3c0ed08469062f492234b4
SHA256 7f922c6b99432dde948e7ad8325750286753c5f49e05497684f5dfffb493101a
SHA512 5b3fac452b037866e239189ebd122f04c9b6bf01b283e2bfc454e1da87a3fb74e24ba9c0aec60b34f402cc0124ffb7f219bac7745652c90b213c00405d2f07fe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 021963057e114bde82a7abda6c25ca08
SHA1 6dafe7b5629db165d7802410c6ca0a60ae56e35d
SHA256 5eb0d642e8e4858d7df88c7670126953bfd7dd3c49da1362061333c15cdb9388
SHA512 d8606ae7e3deb7c65e1e1de9a063dd5fc755bec54cb76f05b4abeb1a89d0bd583f79804a9c2a4ebcf3ea6bb40b91b3914af37ceea640959866062f88d5165b15

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 fca94de0b773cc11fa2ac23f26be38a5
SHA1 4df2f37d06ad0794c37cb58645a6091dc0b5246c
SHA256 585880b579e1f05f895d5385f1bf633439a54fb5114621de57bed00bbefb2e7f
SHA512 b4051103f2ddc80a71b05102bf833357441840b6f42bbc2d727e96cf0786436ee11ad162000f021423e8182c4ad38d8d582b886b0cac773e1760d49a676ef2c5

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b1f5896e60f94e9e14bed0ec110fb2a5
SHA1 879d68827d6fc17a4c1813a70c3f5902c5959103
SHA256 b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c
SHA512 dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 dc69702fc654b5f0225758a46ebf780c
SHA1 975ff1f097d4a636194b52acb173715ccfa075fd
SHA256 41936867892fa491dbb83efedebeb2a51b18a31cb79d9c3e0da8368cc8113999
SHA512 460f6090210cf0a19b25b54f798e825e804b3b686232d28757dd6c6291848b462be3a1d2f6651623e0490de4057eeebb0462980230dea2fd73142ec169e45a65

memory/2036-89-0x00000000003B0000-0x00000000003EC000-memory.dmp

memory/2492-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 24db6d4255c0c1c01a287e4996e6914b
SHA1 733d29ff570bb67fc2014a3833067b3d3869497d
SHA256 55d0af1811fc76d18e51523116be83a74ee200b951cf3ef236fce55f8259f543
SHA512 cf203f558db0e36e929aac07cfe922855cba0f5dabbe6e9f1d11d21506f61bd9ac7ba3ee4d455dd49527b58e51f6de3a8532a72731bb296b472d0411c0d9449e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 9a902c1fac0e7d09ca1f6f957f0dbebf
SHA1 5cc49a0a42193389f8c32af595f65397a905448b
SHA256 1fa6c22b8bdf0c7f3dd84ed3bc91a60b5310013da5d029a7922c4a18249f0105
SHA512 7ae5f3b95dd9dd066db7ea1ef80268426e5d7d390447b32644978caf1c1741a3ec6ea80da5a1ea3a44f25f362baad7b27f50d08b7af21fef37441142863be6e3

memory/1440-96-0x0000000000942000-0x0000000000955000-memory.dmp

memory/1440-97-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2492-94-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 28723608bad04c4b3d370ceb46b6949a
SHA1 8f3d50b5e1eab8780208ebbdb9b601af77b32c99
SHA256 8623ba5b5103b9dbfe99a13c8f65660c3116084f903fb9d3722f8e9efc039786
SHA512 7a2b4ae3441507adbbbb217d906713c57b0e55642f546bf52965adf90db56647f5a460b501b66649a266de797874541af045e92fe2bb95bb684fad97003da105

C:\Users\Admin\AppData\Local\Temp\2D1.exe

MD5 865dd8292ad91f6d0516db29ce1e7139
SHA1 99eb77db39578cc7f4b06e812c1262d5b5071566
SHA256 cf73694c0442bb0e0b41975528f1313ae99afa176ad53275edbe13642b80f594
SHA512 341f0348e7abd45a9ad0c9cab5448a2a7cc35b1058db799a882d4b619749f004696f15f5375059906e6c1c430cd013196c253cc135789dd6aca5c467525b1a95

memory/488-98-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-100-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-101-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-102-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/488-105-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-107-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-103-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-99-0x0000000000400000-0x000000000040A000-memory.dmp

memory/488-110-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/1204-111-0x0000000002DF0000-0x0000000002E06000-memory.dmp

memory/2492-112-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D0D.exe

MD5 aea4a3521885b37a1c8980c57b302a64
SHA1 5c1cd6f4fe19cb915eb3a9b3e1d9cab7ee6ff066
SHA256 3d1ece4cee96c27d631b70743ca0942df77d2a4803a2a51e415ae4a061889fec
SHA512 67445b50ffd4745bdd8d62cf05ee6c45dea641ec0eafd6802a9d94843a5c1282248c65bb69cb9653f220e163c98f256b63f56fdddc73f062b3d1cea11d170b01

C:\Users\Admin\AppData\Local\Temp\2D0D.exe

MD5 d77a40dccdf1d8fa4b0dd31968f05dc6
SHA1 4433fe69a30ba3497cdc851395ec696f63b65c87
SHA256 e004539d74460a9298b98ed9050fc986839e4de619313755023815479abd9872
SHA512 6f03e590c73e93a4397ef100af5602e7570f5039d2f8eb44759b810e1da46a919eb8b7ef4bf75eeb9ee36e6f9dc242ad08ec74dd27124f5101bfea41535f313b

memory/2456-121-0x0000000001000000-0x00000000015B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 00:25

Reported

2023-12-11 00:28

Platform

win10v2004-20231127-en

Max time kernel

65s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe"

Signatures

Eternity

eternity

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F414.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684B.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F414.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\F414.exe
PID 3188 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\F414.exe
PID 3188 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\Temp\F414.exe
PID 3188 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\684B.exe
PID 3188 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\684B.exe
PID 3188 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\684B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015f2f-118.exe"

C:\Users\Admin\AppData\Local\Temp\F414.exe

C:\Users\Admin\AppData\Local\Temp\F414.exe

C:\Users\Admin\AppData\Local\Temp\684B.exe

C:\Users\Admin\AppData\Local\Temp\684B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6E58.exe

C:\Users\Admin\AppData\Local\Temp\6E58.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-3UE99.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3UE99.tmp\tuc3.tmp" /SL5="$B002C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\6CE0.exe

C:\Users\Admin\AppData\Local\Temp\6CE0.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\96D0.exe

C:\Users\Admin\AppData\Local\Temp\96D0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
MD 176.123.7.190:32927 tcp

Files

memory/5056-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3188-1-0x0000000000930000-0x0000000000946000-memory.dmp

memory/5056-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F414.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/4104-12-0x0000000002DB0000-0x0000000002DEC000-memory.dmp

memory/4104-17-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4104-18-0x0000000008250000-0x00000000087F4000-memory.dmp

memory/4104-19-0x0000000007D90000-0x0000000007E22000-memory.dmp

memory/4104-20-0x0000000007FF0000-0x0000000008000000-memory.dmp

memory/4104-21-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/4104-22-0x00000000092B0000-0x00000000098C8000-memory.dmp

memory/4104-25-0x000000000AC60000-0x000000000AC72000-memory.dmp

memory/4104-24-0x000000000AD40000-0x000000000AE4A000-memory.dmp

memory/4104-26-0x000000000ACC0000-0x000000000ACFC000-memory.dmp

memory/4104-27-0x000000000AE50000-0x000000000AE9C000-memory.dmp

memory/4104-28-0x000000000B9A0000-0x000000000BA06000-memory.dmp

memory/4104-29-0x0000000007FF0000-0x0000000008000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\684B.exe

MD5 a7133c9be79e10b2970767b4f09f542c
SHA1 9bea2354c4175443db46de9ada57e085100b2843
SHA256 ee736b6ef4169843a6f531b9186eb2b3b8e14d628f7aa38b67d007d2f78c20e6
SHA512 8c8906c703aed821815ede00ed09edf2a28767a08f2d1fafb17bae6db16f09dd18ba0ff81c1533f4b7cf0e2cbf2d67c14a563a949f7b69d2f9e4ad69f21eb485

C:\Users\Admin\AppData\Local\Temp\684B.exe

MD5 d3df3a19e43d1ae7be1963e143ad3207
SHA1 583419ac35acec7c8233495732760c84b50cf852
SHA256 fe2a78f722166147e163dc24dda652f3c9e04adff01e00f0c248156dad0705d3
SHA512 5a04ae9312cb3217f6fa431c084181b643c3780c3f15fcfb7409c2b7831995ab34afcfab22eb619059ff14790da7f44434c86fa6dae9a2f50a5a875640e3f3ed

memory/4104-34-0x000000000CA80000-0x000000000CC42000-memory.dmp

memory/4104-36-0x000000000D180000-0x000000000D6AC000-memory.dmp

memory/4180-35-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4180-37-0x00000000006F0000-0x0000000001BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 79df7fd286644cdcf906f4c7b713836d
SHA1 f9c5605c27e83da5e1dfc66a259fe0c68830a58f
SHA256 57e63c15e851fa89ce540298c711d3c385bb2f58b1b035ae0aa2f489e011bd64
SHA512 c013b953d3c76ce39a10fd934e96800f12e932da8646d36d9ab26deeaad8c6a3e3f8ce65316720a4caba2a9316f4b5ca070e31e79994893d0e6f53758dee63cc

memory/4104-46-0x000000000C950000-0x000000000C9A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CE0.exe

MD5 3cee0a14247d0e48b56f8a46b76dcf02
SHA1 c4f348114f30fc10fe38388ecb76a3d2cc3467a5
SHA256 f54ca6f55f8da4bf2facac110f8240d25088fb15f7709edd63014d5b792a2130
SHA512 97167ac67511c91af5b2060b4f8b722f0d32ba1db1050e053b29ad4280bb4a381f0e1e04150efced40c3dc0f35a755ea8659c42c3674b10dbe10503aceb4db6b

C:\Users\Admin\AppData\Local\Temp\6CE0.exe

MD5 0de1d0372e15bbfeded7fb418e8c00ae
SHA1 6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1
SHA256 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
SHA512 7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9d5dd497a4841b6d4ed80c08bac70d0a
SHA1 4c601369942966de9a3fd495541426c44dfec5b7
SHA256 dff66d7a52ad09c325d4fa57bb0ff10b0ad3fc5e358dd7674fc08890c7e84fec
SHA512 9515de0b0a56e7d090146d7534dac35109dc8af2b254be155cf9ed706a7796114af67c6fbbf1225b601091521cd26e38c689c96f3958914b371a312eb6c454a3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 213650cfd8768d32ad5617528711b752
SHA1 6ce940a77776b0e60709101c630df0ad61cdde21
SHA256 3082efcd68bc7d8408731f337991b83a978aa2cf3a5ada3dd8f4bde445f3b866
SHA512 13bd407f62bd6db6da09971289aa0b9a1e2eff5070fab06f17dc20edee91ca1225ab744cfdaef6b2566a3d96d604a35a917c7d61025f93c2eee75a6fb9841af0

C:\Users\Admin\AppData\Local\Temp\6E58.exe

MD5 d68d3ed0c0decf66a707bfc875a2b4e7
SHA1 b59f5b0150689f43941159233382785c87e6bda1
SHA256 360426c449802dd64b7c37b29fc7508cebd2abee052fc9b1cafa8a6d55e688af
SHA512 ff2510616f8d0c90fa80965e96110a038651eef4ddffb1e0eb0ce649c65a710510f24cc6e886f8b828bd9dcd13af325519aae957937e1c8e8460af260cf87063

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 00f09a9d133c5624ffa1a4fc3b422cfb
SHA1 35b6e90f61989d7fafb27457fe40d7b10cba975b
SHA256 0dfa664a600f448637b78f68566842e99e889149a7d8e184b63ca3073d41af3c
SHA512 e894e84bd5af6e4971c46c52e985a08e113a63c12146ea320b997b46905b09ddf998b22fddb254ef104c64fc1cbf3ca3521244c35bbe9b7e7baa7300b6c96e9b

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 6920c0edb47885033cd90f9c6eb40e74
SHA1 4c8211721a6676e9a95bb0a14b876936567abe2a
SHA256 cb5765163df4a271bebca53af31a1ac0ff82e1af87ab33a541b28f9e44a0979e
SHA512 def35286e0ff72ae806acc31afdaa1253a30ecd41f2ab062b47f3a1d4e60ddcf002c6b61f2b3b85ba09938c61fdb2b740a9c413856739172c1d31d73d163238d

memory/2336-81-0x0000000074AD0000-0x0000000075280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 df5dfc67daa14d0fb30d4b2e4193bd2d
SHA1 8ab837661f393e3949c5dd0647c0dc68767aa4a5
SHA256 171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e
SHA512 09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316

memory/4104-92-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/2336-94-0x0000000007F10000-0x0000000007F20000-memory.dmp

memory/5020-98-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/4576-97-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 39ebe655a32c96b7e1c03477feb803a3
SHA1 4f7c9940c32c98f0cff46af9db7a2d1c4a984687
SHA256 69d526960babeaf244960c7e6a364aab74ef3a7863c1829ef27f39b58fbf84f2
SHA512 9325e32f277d8d8e2268184a88d56a8ff3845cfeb355ca2e250355617db163070f59cd8f9ea9ac0d8ba812242d4bb6f979c462de4657ac0ea0c4b349b24c34f5

memory/4576-104-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e77422fac1e9d2d11cf7f1c1d57071a4
SHA1 53e63414263dc20ea044c6cbb4fb4fc2c2be6140
SHA256 9d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320
SHA512 d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 313a28bc5eab1d6e36fc5514d2101669
SHA1 6701060f4bf6f2221e8f3cfd4e0ae767119536e8
SHA256 073630374075f2dd5846a4e704e736cde19fad29447c8afa75b18d1c71676ee1
SHA512 b895f1cdeeb8a0e36d481e77edd4581db71076124e22da291c1398c940b2c2dbde4f392f0a51280b1b7a08d7d28b8bd2ef25048118b424a524a3ee9d6e7ff74c

C:\Users\Admin\AppData\Local\Temp\is-3UE99.tmp\tuc3.tmp

MD5 652ab59cef3bcb3765b8129b001b1b17
SHA1 1d16e83d79acc757fb396531fc4dfeb12d171cc6
SHA256 d91ca1190d3e0ccc89c74e9edeafb9a99a9c37b9f17faaef0c0833509e184960
SHA512 d48d6c471b1d5be8835314dd1b7acbac2d2d941d808421c561ac476450f1ec5ea977b41b469384e252369ccbcd57936340bb582d6626541979e59ee2b501286c

memory/4180-115-0x0000000074AD0000-0x0000000075280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IEJL2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3016-131-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IEJL2.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-3UE99.tmp\tuc3.tmp

MD5 0a61a940af1d08a0e2713df014950363
SHA1 27df3574f5e0b002e2eb3f29e70e5170e37ba106
SHA256 d5e0cb080a63aaa2d8bb1cff29e478a89e8cb19f2d60f963e86df0a0ec46899c
SHA512 dd1eeb0c862c2e227113e34b1d6a77b0c397bb52d97275a503aced3a1a1a8e33ea669bb6bfabfe5e92b7fcd362a9020ee12c850038766394a5fc7e03966be6ff

memory/4108-101-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4104-100-0x0000000007FF0000-0x0000000008000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 086cab1e72272ab9a3ca694d0864d696
SHA1 ae1c615fecf94bc45a66a3c4808652923517ade2
SHA256 1b95c35fe6d117ada5a170146bcb34089f93fe2de2c3aa64bbc9e468277c5975
SHA512 c2532c5066fc34bfb628b6cc91a31c292df1017aba18defe744f0d7968f7bb37ed301653848de35c900ac378a73394b820d00ce55bf5472cd5e2906d590f267e

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 4e786d5b73be9389680016a320a65638
SHA1 ed2b543de8401fb6be88aca01865391b8fe6f61d
SHA256 c5d0a0e1bcb4b142f6d112fd8106c0ccac2dcaa3a2f4a6fbcf23cb7b5799a7f6
SHA512 e8600d1e6bbfdc60b6b1d608cbe9924a875d63d35ad2b1f917ef149fd4cf500b3bb7cbda053665eaf1446db3110cb04007233548a79a9c605223c1bb906068d2

memory/4108-264-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 20c5e0682a0e120fef968866bb1daf33
SHA1 5b45864233aae5ff6efdc812cb3c1a4868a2220d
SHA256 5996beaf1af04c4e703302b9bf64650c1e4c85210b7091d2912ae69c75984f1a
SHA512 6183c7ce9ab483a42fa26e3384eaf398151b5111d7fb67e56f47ebdd0549cc83136a0da85fb07c0c08ace2ee63293aed816978290e38072d599ed1dada4a93d8

memory/4104-263-0x0000000007FF0000-0x0000000008000000-memory.dmp

memory/4856-267-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4108-260-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4108-259-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 0cf5b0d6c606f8cfaa7d6bc5c1d661f0
SHA1 ca73b054e169052153456e3721b0b50bb04dba01
SHA256 902912c21b2cda60a01b2a91c19facd5f000f822378382178b429ae1b472bb48
SHA512 589e6fe2e5d61727bf95d9a1755a1c3bfd0c7036609c1660b72440106f1355d94de070898b4effed3d77be740eccd511ac9c893a430466ee6410521c2d732ef6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 720ccf0fe78d24797695cbaf74c4d6ae
SHA1 9986d872f1fcf59ecce53c9dca122c319cdc0782
SHA256 8014d08dc27edc93afb805085a7f53b205f0224c16ecec258fb49a5db3e3285b
SHA512 28214a8e6ba177a346c0ea30ecc94bd6c658ecffdfc17cb6d34416e9b63dcbb76eefea187a9f9f48e4cfd5c2293922b7ad7de5e1be6096b9520560bd8d99a782

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a258a7413a2476262d2a30a7139ad5ce
SHA1 3706a51ffbd3648cda198eb087a2318b8c76c434
SHA256 f1a73660b659eb2817fe95c1414a738df8fee794322c13f173e71a8cf5766126
SHA512 aeb5855c65e873a353998cba00bd942cc5c4f04abb329554f2aee92c213689441be91645ebd0b37dd54cbf9133b778e664aa6bc5ce69f0c2830d6039685aa062

memory/2336-74-0x0000000000F60000-0x0000000000F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E58.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/4108-62-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4108-53-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4780-270-0x0000000002960000-0x0000000002D64000-memory.dmp

memory/4780-271-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/2336-272-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4780-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2336-273-0x0000000007F10000-0x0000000007F20000-memory.dmp

memory/3852-275-0x0000000000A30000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c89fca91bcde91a7d8485fe2bb992b3e
SHA1 37ddebd68133af54a65a2bed63ed5c5bef63d65a
SHA256 1384d3321f3768900223ebfee2a62281709f58ad1835a1788bc0cfaa948d72d2
SHA512 637c7c627e115cb14075ae21417ca3219cb17957c719fef66a91e2d6ee8a8eaeba807ff76b30d5c9b2e9827cfa053cae4801167e23032841beace85d92965fc6

memory/1452-281-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4576-280-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5020-279-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1452-277-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3852-276-0x0000000000A00000-0x0000000000A09000-memory.dmp

memory/484-282-0x0000000002B70000-0x0000000002BA6000-memory.dmp

memory/484-283-0x00000000053A0000-0x00000000059C8000-memory.dmp

memory/484-286-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/484-285-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/484-287-0x0000000005360000-0x0000000005382000-memory.dmp

memory/484-288-0x0000000005A40000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydk3fyab.pq1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/484-284-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/484-298-0x0000000005D40000-0x0000000006094000-memory.dmp

memory/484-299-0x0000000006180000-0x000000000619E000-memory.dmp

memory/484-300-0x00000000066C0000-0x0000000006704000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/5020-307-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96D0.exe

MD5 4589e441fc0e7682fe35d50666521c90
SHA1 f15d1efc31c7780bbc650ae69983bca9d2a0f8bf
SHA256 3a5ce7f780674c2afd521e6f82ffe1bf5bc91051edd5db3f832225cda6a9e26b
SHA512 3fa7018d1c3993185798aba43e545e4bb7d750848095570b18dd5a00a07ad1487ce1a4ed6eb66040adc8db77b592f2d254f9dfaf7f443e98d8e8f346ef56d36b

memory/4780-313-0x0000000002960000-0x0000000002D64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96D0.exe

MD5 dd9927920604154d706609919b1f3be1
SHA1 dd27759744defdd88bb6d5ee32193aecfd3dfaf9
SHA256 837ee1e7f5f8382a481ba9c7b447ca8c5c50d20d2fad238d2825d46e8bb2c893
SHA512 9a9631f585a0c44925a3e9126d3faaacec3da6a274d5ca11d33f8bf545392f7d492a5e9d9354412fd3e51af82fd5f50c000d2085311eb86429acb85326e56dfb

memory/2320-314-0x0000000000A20000-0x0000000000FD2000-memory.dmp

memory/2320-315-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/484-310-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/2320-316-0x0000000005B30000-0x0000000005BCC000-memory.dmp

memory/484-306-0x0000000007470000-0x00000000074E6000-memory.dmp

memory/4780-304-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2320-319-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/4780-318-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/484-321-0x0000000007510000-0x000000000752A000-memory.dmp

memory/484-320-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/4856-301-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3016-322-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3188-326-0x0000000002830000-0x0000000002846000-memory.dmp

memory/1452-328-0x0000000000400000-0x0000000000409000-memory.dmp