Malware Analysis Report

2025-03-15 05:15

Sample ID 231211-xk1asaehck
Target 0x000800000001628e-136.dat
SHA256 8efed3b792accd764dc37407da33d7b5600129edbedaa956e6bba34d06d3e1f0
Tags
smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8efed3b792accd764dc37407da33d7b5600129edbedaa956e6bba34d06d3e1f0

Threat Level: Known bad

The file 0x000800000001628e-136.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader rat trojan

Smokeloader family

SmokeLoader

Glupteba

Detect ZGRat V1

RedLine payload

ZGRat

RedLine

Glupteba payload

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 18:55

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 18:55

Reported

2023-12-11 18:58

Platform

win7-20231023-en

Max time kernel

58s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\xrecode3\stuff\is-JLMIA.tmp C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-F4EB9.tmp C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-LLNFC.tmp C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\is-7SD3C.tmp C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7.exe
PID 1380 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe
PID 1380 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe
PID 1380 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe
PID 1380 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 2904 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2904 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2904 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2904 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 1828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 1828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 1828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2904 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\33ED.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe

"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"

C:\Users\Admin\AppData\Local\Temp\D5A7.exe

C:\Users\Admin\AppData\Local\Temp\D5A7.exe

C:\Users\Admin\AppData\Local\Temp\33ED.exe

C:\Users\Admin\AppData\Local\Temp\33ED.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp" /SL5="$A01F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211185637.log C:\Windows\Logs\CBS\CbsPersist_20231211185637.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\A3C0.exe

C:\Users\Admin\AppData\Local\Temp\A3C0.exe

C:\Users\Admin\AppData\Local\Temp\AD91.exe

C:\Users\Admin\AppData\Local\Temp\AD91.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2980-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2980-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1380-1-0x0000000002990000-0x00000000029A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D5A7.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2632-12-0x0000000000130000-0x000000000016C000-memory.dmp

memory/2632-17-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2632-18-0x0000000004490000-0x00000000044D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33ED.exe

MD5 a139bc5f371372d79f2a89358bf1cb1e
SHA1 c69d1083137b01b02cd618b8f83918fd8b024cd5
SHA256 24cb6a316489ca48a658201992d23abeaf64370eee430bd975d46e8d1c3b7d4d
SHA512 ed513ebeea392e99761b341f1f675d61ea378f3cc2eabeabd0835f229d868afb0ed8deb6c91da14ed1a0caa4bc86b7235f4f9c708b9da2cc079e3cd39ece9abe

C:\Users\Admin\AppData\Local\Temp\33ED.exe

MD5 4146a78eb916ea0c61c38265739214ab
SHA1 f12c4ff52f909f5e9e434d67a5edf22fe143882f
SHA256 a44b6b0ae1ed6aa2665300e8e752607b3d50211d0461c8304d2ffe74336045e2
SHA512 1515ee4be391e7062ff8d029279ef9435f2afda858d27f5ddc0ca0466a849982e3a4b5815a5af89e5ff7f8788aac0ea435de9bf081f682a78726a097ede39848

memory/2904-26-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2904-27-0x00000000003B0000-0x0000000001866000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 7e23085391ec6f769f81d55520496c46
SHA1 cb2545c01d9bf54f30ee9636dded12387ee6bbe4
SHA256 3f50e08ded7a0974dafffd81ce0352fe15c372c864f4737d686af4c4e87ad964
SHA512 31b183f5bd6e13acfb9926ce788fdbab30a7d488aef9b5a16053d43daf1c68dbd8e213f07ad5352214f230a9e36186221fae4ccd2039f5000e65c4c5941eeded

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cce61c1ece398cb8c0354e2375f36002
SHA1 e8536625266a75d3c2d632346ded77f6e2188bdf
SHA256 baf5260412a3ad620bb50edd5e35dc682b1442a691f66dd498c47250d28670e0
SHA512 04d139cc553da0865cf885ec4fa1afa9cb22448b49ab30592aed96ae53214842399e9991577af85e93c779382c47ed1ec7ca38531410f731a5bb9694633f6f7d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f5685f9645f54b5e14e50491c7510400
SHA1 23dbb0d8898238f3b74d3f28255521c1dd8b4696
SHA256 d98debba162e7bdd569422e0e226c882c52da2d21122c16911a04c7519117d12
SHA512 1991c06858dc865f7d14935a7ce16ef6df458b2991fa5abd86bc1deacf72dfd27f893d4618387874ceec61e232ea65744add6e24afb4deec93c2e65bc51dbcbd

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 fa7d23cad9fd740f278f958520ca2034
SHA1 43216bd4dfb5f6ef8392baef9553db18e731aa20
SHA256 1c178a01c93d4cabcfc36dbcb00c9af929b33746dcdd3207d94c9f84555e5d09
SHA512 029b2aed04b111823df77a61a1cbb82c901285dc751305c7006061cf1587ede819192c71b77fcc0c28caad3a8e04622b4b20153769ffa862da8ba151dbad9ea0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ed88de7bde0aa9e5c6373bf712a912e7
SHA1 771c3cfe93ee2cb077d56189abab1543c4b19a0d
SHA256 6b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885
SHA512 06fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 9cb73494c41bc76b37fe0b1eee3f9d94
SHA1 ad7e23afe7fb6fe10d3f1b5dc53bb4ea851a9b41
SHA256 77722230f710d7f99547f1753cbb97e7c60845e3245a8fc9a93ec3337900c388
SHA512 e97aa4004e7f8dd7d7f2c8a38e9609d544a5602dee52808e3a8bfcfc1a53d998168d769bb1ccec42d4fcdc0cd7423dc973515088302975d346b81bf493b11b35

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 8cffcf746c4673ca144895207aa08d8d
SHA1 d7584bb10dd9e2f23d9d1f6cb825d19bce17bbe9
SHA256 9c8565e430a0d034984bfb618a1b2f821c27f4c6802539b02a673d25eb9a4012
SHA512 35a8140206a4c457dff3ab46a54bccb68531c60f1fa2856dc748fa45322a7d8417d27ac7d8f17735e715801e4cd86ffb0bbe7b28eb9102e06b2c9894985eb4bf

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 578c8ca07a0040736c723f755332cff4
SHA1 bbe1448e51cfc66c6dc3dbdbf91a8910eec4fce6
SHA256 319b350cbcbfaac2d306ff8d9c60816ce823e2eb450d0a254b53a453ce223fb5
SHA512 28147a47499d0306e723cb596418e25408e62991284f6f26c6bcbe64b117fcf3b8caac3da30c42f53890fcf1567119ec9dc9764238b30a46a0423850596aae83

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1ac6f91f68a718573bc6e310e5267f9c
SHA1 a30f1f046da88ec78fcab903e37f0b8520625d5d
SHA256 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a
SHA512 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381

memory/2124-64-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 9b6211efa859f78626cc1e41a4969e93
SHA1 78e744caeeab9d0176d7c619f332387274d21652
SHA256 d7e66990530a78a1014c166975437f14e50d4ae464e766f4c2e2d02d4c76d989
SHA512 fd3350b0a1a7ac00345144372c55c8d390eac24c3e7a6962f7a9148a5703027079dc3ccbdd43bc4e0e6cddf4f443513d4b4d37efe231cb782f2fb5f4104f47f0

memory/2604-68-0x0000000002690000-0x0000000002A88000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AF154.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/1940-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 50745d558a360f008a4ab2212c0e000f
SHA1 5a71cfd716f7096b3edb1eaa061062adc4278c22
SHA256 6e310827e7cc4749bd654838b982ce9de66410a330d524e80ebda1dfcd572799
SHA512 c446af0b5b161d1ea9d1df872bcf0d299bd865ae2db79e44534e8dfda8a5ef25b8da7e15cd87237c9e51e40e683d9fb2ce585f68fd73242b5738dceee09b7751

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 44723bfa045a39954d74b08ed1cd900a
SHA1 0d55114212097cc1f8e3c3fcb116567ab29bd458
SHA256 3af7e0f26aac0c1613bafe6d6e1bfc8cc8da95d11e9b92ed76682cd8b7804c63
SHA512 fb64750979727ddf3af53df23e135116a6cb491981cde9d054894da25628b4b437f2d52a61fd6f27ce5a3eeb107507dd4984cb35ca9f37edb6d82a45813672a6

\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-A08LE.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2604-93-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2604-104-0x0000000002A90000-0x000000000337B000-memory.dmp

memory/2904-105-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2604-107-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2632-108-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/1972-110-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1972-109-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/2304-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2304-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2604-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-118-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2124-119-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2632-120-0x0000000004490000-0x00000000044D0000-memory.dmp

memory/2868-121-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2304-122-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f81be07058935d224ab3843bff94fec0
SHA1 1a7360901f8cb5017f7a41ca1a6984227b712b16
SHA256 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

memory/1940-124-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1380-125-0x0000000003BA0000-0x0000000003BB6000-memory.dmp

memory/2304-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2604-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2604-132-0x0000000002A90000-0x000000000337B000-memory.dmp

memory/2400-133-0x000000013F4A0000-0x000000013FA41000-memory.dmp

memory/832-135-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2868-136-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3C0.exe

MD5 78d06ca1c226aae5ebcd5f57fa7933f8
SHA1 33a26511c5bba5000377f8ec2f7aac8712d3a3c4
SHA256 10fe273698848317681f6c43e79c2164933e4b5937a2c9be935c0bd3f1f69a95
SHA512 e8d92ba7fe31953abd70e03a4edd949a12115cd6d9816abc5d179626b1f043426ac3db854005753db3c8634510f7b04e4df02b4e952ac50946e9118a0328795e

C:\Users\Admin\AppData\Local\Temp\A3C0.exe

MD5 8fcca81a606b4d8e60552944a9769603
SHA1 45debeaedca3763d8f7a215024e516c00b0f4da3
SHA256 4be91c2b94cc383a042fe567ff41fb1a5da6072f98dcc1cadfce958e4f6a1ef5
SHA512 ce136c4d20c957da87c84234c521773c91a3ded5370e09e231d46fe443932b779789e723b24ce8e43a009fb479ef21e301266cc54a892d34163f234702cfdb40

memory/1940-144-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1060-145-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/1060-146-0x00000000002A0000-0x0000000000794000-memory.dmp

memory/1060-147-0x0000000004E80000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD91.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2180-154-0x0000000000A20000-0x0000000000A5C000-memory.dmp

memory/2180-155-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2180-156-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/832-157-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2868-158-0x0000000000230000-0x0000000000231000-memory.dmp

memory/832-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 5aea1b8e8299dda8688663788d1bf770
SHA1 3afb4c592f99b6a99de407532fef2831ab8a930f
SHA256 e15b172d6fad36154885bdb3d1ae14d71d989d6ba515f6359096dd58816b4e19
SHA512 140079927980d2c4d8bb90ca35596e25f164b8a42347ea2c39773356ad9f78d543370780545a5e1059a997b1b0d3f1caafd71d1ef30ff38494bd4a89b49d7573

\Windows\rss\csrss.exe

MD5 9f5c71267bbc8cf4da4552b3015cba43
SHA1 0a7515d566fbea860b0b92b487e0ec2a98903184
SHA256 62a1e200d9cb189c4640d9ade6713781752ad248a2b36d892784b691c332c4dd
SHA512 5434030e43a3fef587b07014e2a73fa83ed826d7390b6981ab637b7e5d9931f406047f0fb16f4148da2346d87737340ca5873c33d9b18084b40cb6bbaf8e8d94

C:\Windows\rss\csrss.exe

MD5 1443c35afa950f86e849dca2a9081678
SHA1 e393b037d5bc43ae4d6ab5ee7468359518a87eef
SHA256 cbda4303a924161f7ca0ad9dfd7faf7ac98b5ef6e563808a036392489bbeb68b
SHA512 15fbe85e7d00a1f20754fecabb1c4d6855b387552f11df000f4225a981ac67804950bc1fae8c3c617eba86f862edbba18a818296e3a21066b1f4fb15c6c84997

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 18:55

Reported

2023-12-11 18:58

Platform

win10v2004-20231127-en

Max time kernel

49s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B1EB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F09B.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 4924 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1EB.exe
PID 3188 wrote to memory of 4924 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1EB.exe
PID 3188 wrote to memory of 4924 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1EB.exe
PID 3188 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\F09B.exe
PID 3188 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\F09B.exe
PID 3188 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\Temp\F09B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe

"C:\Users\Admin\AppData\Local\Temp\0x000800000001628e-136.exe"

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

C:\Users\Admin\AppData\Local\Temp\F09B.exe

C:\Users\Admin\AppData\Local\Temp\F09B.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp" /SL5="$50120,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\1598.exe

C:\Users\Admin\AppData\Local\Temp\1598.exe

C:\Users\Admin\AppData\Local\Temp\19C0.exe

C:\Users\Admin\AppData\Local\Temp\19C0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.6.37.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/4116-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3188-1-0x00000000033B0000-0x00000000033C6000-memory.dmp

memory/4116-4-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1EB.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\F09B.exe

MD5 61373d23292aed3f56c803f4afe5532b
SHA1 737f88128f30da60a0f733bf724d44363b154f77
SHA256 6f081eb36e548e029153784ac1f26a76dcb8c43a1814be6458054ab459a842df
SHA512 1d21fd1db5c7f01fe7ded6a223b6f68b04a6c9b39b3b14b6c8618e1f4b34e882e531d5711f360eb014db4da892623f05f1d56cc754dd756c46a1b3e7e44adbd1

C:\Users\Admin\AppData\Local\Temp\F09B.exe

MD5 1122f3e1f3ec4bdaf7c7dd1b63e1e2df
SHA1 c19b0e4b53fbeead620e63cfb25c209f116dbeac
SHA256 ad91d918d521e2baa52c2bf499aaa11aa088b5e7bd07a40e4042400467addcc5
SHA512 fc44bcd9bddf0f0668ee4e8449955637b3e73bfb0b86e4a2ec22cd21914271dc0a810e1577e52f17467ebe68c80813cc7c63c25cf211cf8373c9c92331f31038

memory/3028-16-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/3028-17-0x00000000004F0000-0x00000000019A6000-memory.dmp

memory/4924-19-0x0000000002C20000-0x0000000002C5C000-memory.dmp

memory/4924-24-0x00000000743C0000-0x0000000074B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 55a76a2b0da9c3f5a3eaf64696e0cb07
SHA1 10d21327682afb6ef84387b1fb9a40fc878a3aa1
SHA256 ebfefd557774941bc2516a909bb1c328df664fb9c693bc5cadfc1b5bb2ffcae2
SHA512 2a26affc5c13304fb3de60bd9e9622ea8d115e463a31180c0f95f7a0b434a282f3914561a896c389c531f8bb0ed8870e2681260ecbd623babbf68aa912f5fadd

memory/4924-32-0x0000000008190000-0x0000000008734000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6b1a159c7cf174ffc59e9683f20c60b5
SHA1 d8ea70530ffa1ecc063080bfebe2f8ca1bab44b6
SHA256 0a46431b6fba57e2754a5cd19e2b95badecc162af04dcdf905ec0a4b81a90da9
SHA512 419e54ca143bbb8029da9d91c583a960eb7c31039f1ffd8e0cd328124a3f97e585c7cae525a7d421455fb934a0fd90418a6983045d058f6d1d38617b04decbf6

memory/4924-35-0x0000000007CC0000-0x0000000007D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 99645d4fb49d38ef42eda77a2f3b9d8f
SHA1 895a1c02cd5cf48652080c4fc8aaf26022e06bb9
SHA256 9d3038c60204675dbc2fc9e0fd5f776eb7e2412d8720cb71c8fef872799b2601
SHA512 035dd1910a13fcaa1b4911f5b9aa3c3fa3ab720f74ed8083ca3d2e6ccb2cf23707af9e8274696231e9d4d6650a0a6fc1e21140eb38fbfbf771e4f5f83321a1b8

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5dd44d0509871eec95c758d40f525d79
SHA1 73d493c6884b96f179180e5850d6334a7814c930
SHA256 fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282
SHA512 ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 9eb8cde9f6ad9cbcad827b1f7486532f
SHA1 812ee2df1b97e99f77f5dccfda705b3859bea51d
SHA256 0a1290fc84f4b2aff2770cc491a1bad42e351432402e0306ae860c0ad78c9614
SHA512 ae34d556348f94a0a4ae8c12188d159a7dc138ec46597256d41ddb97e82fb6ceddad13db8ed7433c4bd43f2da16f846df12a26bfab1157313b3ce57f1e371b4c

memory/4924-44-0x0000000007E10000-0x0000000007E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9890563f729fd6204fe444239ef96712
SHA1 1e326dce79e8fbd7b3fbb58c42ee8cbd0f19b01c
SHA256 2cf2533ea3dc8865b0de7abb4e8e44feb0d3eb5964eed911adad73924331d4a5
SHA512 54e3dd8913a6cbe1545476a861308505f05e75b5b0b9051ffeb04ac952378564a6385419db3f86d6a5130d292aab8ae9614fe253bd78db20402bb8ef12535e67

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 59d0b1da6248e22c448668eef019c82a
SHA1 61dc1313fc9c90a39a54ce248882f93d929b00fb
SHA256 db5a2f1340e0394a0c5400f893a62f5f2f4b9d2fadd9a01c72322f235abe2d08
SHA512 9204c6caf33d40afa12abeb14a35dec1d341ee3a8c196e4a8ae6b041af4c8d5560356f598a4c43d9adb46f6cc5150541149c534170076a2dcef80ca012ae40e8

memory/4924-55-0x0000000007D60000-0x0000000007D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 98eff24d7fa8551dd0b43091ba9e863d
SHA1 e8443f8d734e425c6251c69518552f0bcd1c22a9
SHA256 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451
SHA512 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5a31304a677945ee31c8cb9ba97cf79a
SHA1 1b24a39a7f040f637d43193e75ab02da16633cbb
SHA256 48222e715083ef96edbab914462e772086ae72cdb8b421000a0bcebda584be2a
SHA512 e7d21fd12b87c82bb812908057387ebb0bbf3773771b232864705570ad3970153885599317501a4db1cba2fcbb87f168c396653376b9fb0ba45836aff8d0af55

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 bb62eb5da4f2a9ab8434396d9752fdb0
SHA1 ad269614474763d1b6f1b39e51ff58b99bdd2e13
SHA256 08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e
SHA512 e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 ec84319ca2e52e8ddc444fdbcb1e4666
SHA1 fe7d89bae5c7c5bd8563b9dc4da9a52da2f4549c
SHA256 7b48e22bf0054e327336eeb35ea7dea0ece5db17ae5a3ed7e416f0e4db09ab4b
SHA512 22a1f636bd2cf22cdd807aa022088b7f84dca12b2b906cfc703db4438bf58eaaeea5bbb87f0e37ad578281bcc0f19812443303b2540eeaa7e43680921a787a54

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c6188926b380d45e3e384bcbfaf0798a
SHA1 864a0987a82e79a53f15df9e117a8e4cfdb7c6b0
SHA256 52ce724f1df325548e1a0671790efae68ccd156efd5daeb8a464a1d11b04ae6e
SHA512 15028fc894d56308bcbe33d49506c4e8a01243811821b11fb9eb900b3b23ba5bafde77c8c36651cbd020692978b53c29975225393feae6634285c303eb4747bf

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 ef2ca2474315d4eba957c6bd2b031cc2
SHA1 b3bbc9e287cb3030170d2c3e726498d23cf729f5
SHA256 4f0484833fe42498719df309016e656332af9875bed05309c911a52faab233ff
SHA512 8c4463596876a5ef5d011f3e01544652bff573f43d585b982711b008e7d3a4a4c3bb6a5238317f0dfff711d51e1499bb0e270dd15bd32ecc6bdbb96e7d64b36c

memory/4812-70-0x0000000002930000-0x0000000002931000-memory.dmp

memory/3484-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4924-75-0x00000000090A0000-0x00000000096B8000-memory.dmp

memory/4924-84-0x000000000AA30000-0x000000000AA42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e0cf3db8ce083736035ed1429dded0c6
SHA1 10b784cf8218a50b6f6631098b1f165dafbc570a
SHA256 418bef91323d482fc5aec7341403102209523c028e141baf4a67fcc83e861de2
SHA512 437aa3b3d8ef28020c6dc0494386bd8ad23945d6fe65c7eb4f0b8df18a2cbf6a61462ab67dbf5f5d005d59883b52f528acd3a31ffc939cabdc21fae56d1b0967

C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp

MD5 c92eb06a2c0616bdf739a70b1427b0f0
SHA1 3657c0f2e2ebf65d95469e93ad781516e6b808ef
SHA256 0551438a2f2a917e628bfc212473dafb78edcabd6188389dd485be69437f3e03
SHA512 e23e7499c7959b8cda5c12f888aecc1d08556163280b603998e2ac8dfb268c2d721e5280b977b2d9afcb2312706ec98bfbd490d9a22bc7bb0a8620db19e53327

memory/4924-79-0x000000000AB00000-0x000000000AC0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KCBDM.tmp\tuc3.tmp

MD5 1a327de070fc16c88d3c369cf9314bf5
SHA1 a53c32f679db313d44ec8dddc18b016a3ad89da0
SHA256 b9a0db5eedba426c889821ffccaf602603a437ebde43341cb2f64565e37903f9
SHA512 aff71beaae966666f24622a43ba21de49718006bd930df29d2b8dfacdfb26cb01bbe3ef69a0b916da978ab0d29615f1c804528a4e6491141e1161e561ac0f243

memory/4924-85-0x0000000008C10000-0x0000000008C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UTTGH.tmp\_isetup\_iscrypt.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4932-115-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 cb8589780ed4eec49ce86fe0ca6812df
SHA1 3c267b05846411a2b10fdd2cc5b00cea8c0379e9
SHA256 2146a3ddbf475225fd03d435a21b61d585544f6d1dca1e18f9e81905f1b77b3a
SHA512 97c1aa495c9c1fec778b1c976ecdc88799801b13fcf35ff26fdb8cd249b706c7a152b2bde8747066977b192732c376a2672042722445b163e7744b2cd8d23d18

memory/4924-159-0x0000000008C50000-0x0000000008C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UTTGH.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/3028-229-0x00000000743C0000-0x0000000074B70000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 15a0dda351f35636385497a7c32e84c8
SHA1 5007367936d3c411df6b83a68e64096d45a9bba0
SHA256 b190ff05a520cba2b5e83b5601ad00fbc2a5d05787e52e6d11527cb3c3c1076f
SHA512 6ed427e710eaf4b594dcaa2507f281b57a938d554d89edf3f0389d8c619777907d83587cfb40d9cc5c86db178ea648fb7d3f3e436076e9ecfd246b1edb3df406

memory/2084-234-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 53258ca3c2c1806217f2a74a5e3efa98
SHA1 7cb56064f993331162718a41fbd24e0aaaf2fd72
SHA256 e0146be4280a95bd883a2b94c2a1e7dec70659e4ac72d4adccc79e5f1564e372
SHA512 d9dec66adae672c4a6da27172bb0bf58f7d5ffca01f33a572993b71c21d60e41442a042d348dd0d69546b30c98e9ff456db90a30d6d36ff029f2cbe124aa1f8b

memory/2084-238-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2084-235-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4364-241-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 1f41e68cfaba2605bb3d22f9d2dbffc9
SHA1 b88473492b0ba6699a3eb1b5bc78f3fdaa435a64
SHA256 42554a216c5a6004b4aa3bda996148bb87cb9ccc16c6544c42b631f5be729c7e
SHA512 85b54df76e4f297535716ed9ee4f1315a3a5d5837838458fee83da4bec1cceb41a9863d24c163192d22464e42a61fd4fb3303cf87bd50777601fae4642fd304b

memory/4364-243-0x0000000000400000-0x0000000000785000-memory.dmp

memory/820-248-0x0000000002A00000-0x0000000002E03000-memory.dmp

memory/820-251-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/3860-252-0x00000000005A0000-0x0000000000A94000-memory.dmp

memory/820-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1598.exe

MD5 d078895fbe1120409ac4670b293f8c76
SHA1 5e398cf5a2d357663f932f03527d0d82b6374cea
SHA256 b9ce67e1a5272cb32387114ce7af01596bee018472ac6531c50e14542c0991f1
SHA512 1b15b5e7b7bab4e828d5567d69699114427b85a29102857e7c0873385f1a11e2b150c7bad57b03d1bafb8fa59f309728e17cc0b40701a8636e49258619129b3d

memory/4924-254-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/3860-255-0x00000000055B0000-0x000000000564C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1598.exe

MD5 dd0d2808eac8d10eee37ff74fafe76e3
SHA1 22592377b87d71d705742fc361e1375beedf64e7
SHA256 1e2f298dc66f4349c7428a2b613e9f0e704e5981d57a92eb8466c045a11af488
SHA512 aef349116b20978beac1f1b14873a3be42026eabf1bbb308065aa80db37c3bb68718081757bb6d08b170841bba5b4d076a91d2caa5c0eef4a9343b0fba65fbbe

memory/3860-256-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/4924-257-0x0000000007E10000-0x0000000007E20000-memory.dmp

memory/4812-262-0x0000000002930000-0x0000000002931000-memory.dmp

memory/1364-264-0x00000000005D0000-0x000000000060C000-memory.dmp

memory/1364-268-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/5084-269-0x0000000000860000-0x0000000000869000-memory.dmp

memory/2432-270-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2987c50bafba384b02797e86facd5a73
SHA1 7ad70c88c1b9c24147ee884dbeece0fc774af3e0
SHA256 73fc8f0f66165ac5f2eb5e3be46150dcc560279c9226d89c27b64b8647675a03
SHA512 51e875a9f78ace4d334d111764f5fffe5ac32ba1c82cc6b1ddb3d1875526e081e0e6f83b2e8e3101ee7fe57e268f15c0e397602c0e249bd0bf3cc74a5d0f4ffc

memory/1364-271-0x00000000075D0000-0x00000000075E0000-memory.dmp

memory/5084-267-0x0000000000968000-0x000000000097B000-memory.dmp

memory/2432-265-0x0000000000400000-0x0000000000409000-memory.dmp