Malware Analysis Report

2025-03-15 05:12

Sample ID 231212-csentsdcfq
Target 4d6ec3c69ac5c29f445f22fedda91852.bin
SHA256 b672f75f3834023ae1a292f8cb1558a242ed2cd5e9b39bcb470ad7316b346333
Tags
redline smokeloader @oleh_ps backdoor infostealer trojan zgrat livetraffic rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b672f75f3834023ae1a292f8cb1558a242ed2cd5e9b39bcb470ad7316b346333

Threat Level: Known bad

The file 4d6ec3c69ac5c29f445f22fedda91852.bin was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps backdoor infostealer trojan zgrat livetraffic rat

RedLine payload

SmokeLoader

Detect ZGRat V1

Smokeloader family

RedLine

ZGRat

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 02:20

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 02:20

Reported

2023-12-12 02:22

Platform

win10v2004-20231127-en

Max time kernel

36s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E177.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17E9.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 4260 N/A N/A C:\Users\Admin\AppData\Local\Temp\E177.exe
PID 3332 wrote to memory of 4260 N/A N/A C:\Users\Admin\AppData\Local\Temp\E177.exe
PID 3332 wrote to memory of 4260 N/A N/A C:\Users\Admin\AppData\Local\Temp\E177.exe
PID 3332 wrote to memory of 4132 N/A N/A C:\Users\Admin\AppData\Local\Temp\17E9.exe
PID 3332 wrote to memory of 4132 N/A N/A C:\Users\Admin\AppData\Local\Temp\17E9.exe
PID 3332 wrote to memory of 4132 N/A N/A C:\Users\Admin\AppData\Local\Temp\17E9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe

"C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe"

C:\Users\Admin\AppData\Local\Temp\E177.exe

C:\Users\Admin\AppData\Local\Temp\E177.exe

C:\Users\Admin\AppData\Local\Temp\17E9.exe

C:\Users\Admin\AppData\Local\Temp\17E9.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\222B.exe

C:\Users\Admin\AppData\Local\Temp\222B.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\28A4.exe

C:\Users\Admin\AppData\Local\Temp\28A4.exe

C:\Users\Admin\AppData\Local\Temp\2E81.exe

C:\Users\Admin\AppData\Local\Temp\2E81.exe

C:\Users\Admin\AppData\Local\Temp\is-DU1UB.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DU1UB.tmp\tuc3.tmp" /SL5="$601EC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/4044-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3332-1-0x0000000001540000-0x0000000001556000-memory.dmp

memory/4044-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E177.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\17E9.exe

MD5 34f068078c9d146e5bd733630f3e9dd1
SHA1 571ed3487af099fcdbf1464548ee75ac3ea2c2f2
SHA256 c0302b36bb6ade648011aaba47e1cdce1fe64600b43b896862bb44da2dbed5de
SHA512 12797cc5f47b1ce5ee6bf2122a3526239966cc35c356776e3bc66a3cfd60b84584a96bcc52079a333e9b9a1e834035743e4fe69719be28cf8bc629e83f893ffa

C:\Users\Admin\AppData\Local\Temp\17E9.exe

MD5 853375b7aa7e6d5b66fbecbc9714b70c
SHA1 935abc41deb95918062aa34f050caf276600c428
SHA256 0136ed726488ddcc52010a82ad624a86d6662aa9d7a0fff35c6b778d9655473d
SHA512 0e337eadc3eb207a402dcaa1ee7ee118921a3dc1c2087fed29d716d773a14c87892797ea9dc97f9687220c5fdde2f4237682c5ba433f7c86a9f8276fe9b777b4

memory/4132-16-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/4132-17-0x0000000000A10000-0x0000000001EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d0c1effa4af756619db44431dc23aaa9
SHA1 b396be9e9241382077bb530fc01572872458c72f
SHA256 0fefa00511dddbc826e6e6eeb8770d80811127570d53cbda503d460775f23f7b
SHA512 88235c9a7b7d7ca961bd4ba4f370a51a50f3e3c45fbcc2dd02ea3f5ce54bf6a03560e4b4cd148e4a8a8cfad54be02996b9f4d2b6acaf77b766adf01ff4aea4e1

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a9de25a1385df642aed6b120727ceae0
SHA1 ce93195bace02443bfa1cdd8f731f348ea1bb7d0
SHA256 a280ba110a8f1f7ee842933ce0c72b90ae6737b7fbad606dcf159ace56ce1d21
SHA512 111764709e57a2c57c2c91945ae68c98111fcb85e6031fdf0e0b8460be508b07ceb245664348193c88a4461db0c3e93f0b762a0766dc027a6687a1cd1bfbcf97

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 5e9b8118bc6e2356dd0b5f3d814afabd
SHA1 ea0e0f5f7d757d4691063a88dde8ec5ac08ec9ef
SHA256 ba42b0db6a745c3dc774b1b2ef597149c3526a73a2ab3985b4b851b9c878339f
SHA512 a717a2b242178e0d924becbef9807fa2f0824d26d072dc33bedd988c78a89acc7db26bf8e781a39eaa6078dae3ba7671ac8f7c28f20295ae7102a56ba5fba315

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c7f62720dc51c51cb2641a20699c9a4b
SHA1 7fd7075ca2c17592d3aaa9a72f9ab0e556de3925
SHA256 3535965a91991b2888cc7051eca75f13f8efe783d2778ad603b808b89d2a109e
SHA512 8453f6b119c2472b22c63173f2538a642c82ed1cd3328b6e0ec70f0ba29f66e5ce43eef366aee65bd9ed37e2480d27e7d0b93ed6fff0b335616aeeca65635759

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4f9717a419236d374f57ee9b5e2f867e
SHA1 2a643cfceed23ac28ca98a00201cf7140cc2342d
SHA256 84f7796311a38193072b5ef8c303be53e76836f07ebf4552177494d55b9e61a2
SHA512 1c23058020afb319721de4f28d623de81a7deb89c37d1d5423de196d2c784790c4f647169a23a83320e0cacf61ded2a9922465ca0f808e7baceb1080f97b4c9a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4157efda0da39b465ae5cc0f94c15718
SHA1 50bfebea53c310eca490e688a0f9f2a687c2d43c
SHA256 d120c23ba722efbfed38f004a22e882803456045dbb6bc638685969ca8c195f9
SHA512 dc553e1618cc1d16e6402029892a5637113a63f5687c5c66a8381291fb9d5bd29978c5c4c149ec30c3cce22c99d81aa78f4408ed22d3e7fc61d9820e8ef20b9a

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 11e5685fb1f319062480682ab12112ea
SHA1 03d237c3a8bd8ea04aec78363a3a93a67a5662ed
SHA256 64998e0dd633a4d35cebb1630970684db97d02c4f706d1f556037db32fd46463
SHA512 20eb533c655bc18fc4e631a8bd227ac72788ca69d47af94f80956aba539568908d4e80537e0bac5036d3161c8434145992a1de463890c7aba5f588068b3a507c

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 878eec086b764fc63405a506c35ef455
SHA1 d8ccd7a7d62b7db01985aacf911111223b004ce6
SHA256 0db3bd1391d3d8c1441e419be4dbddea91c62e50a6f0d9d76c473ac90d4cf0a1
SHA512 a81ab460de14b9d216fbb3dddfd261ba921135848739e668cc153081e3adfa297b6943f441dbf33400530066b4548cf322b406adfa0925d101e67603bff37e9c

C:\Users\Admin\AppData\Local\Temp\222B.exe

MD5 6e6391812ef478240b90275904fd7393
SHA1 f75c5450c5e049aa137c80c260f787dfca0ee8b4
SHA256 b45d8fbdc48eb348c83ec3014e8fda7384544032038e5275850addec0409a92a
SHA512 387a0970138fd2db306cbfe8863899ff69b27346d543c81230264033bc17064fecc427321507be26e99f02d9039b1fd49649e8ba019afdaf3f5ef7846514113b

C:\Users\Admin\AppData\Local\Temp\222B.exe

MD5 61f494fac7d63eaa34875251e7705228
SHA1 ae25f42a014ab44d42065c2330a0ef4aa3f3144b
SHA256 3c6ed1aaeb54c79273be3722e6b1bc5facbcb8e69f239b3bebde6e76845ef2d6
SHA512 2c56f6c82362e214e69020730c2712435c0549dcbb002d5c32b2abefc82d0737a54be29005321f56d5e62742e457ee90a1a3266a3f5e87d0b4ae6c2b79d5ff3e

memory/3148-60-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3148-62-0x0000000000980000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 228f5a72d61c24e14d4345d6fb8f3d1d
SHA1 cb6f50ab7748a5200340b69c743cd825bee194f9
SHA256 abda0ca18754544760f56cbfeda72fbddf3634422722f6b1c5fc158f59bd5dfe
SHA512 d5938b7073d71b1d5e7356ae88581b25a7ecc1d23679d0300fb00b9d450cd65f31c4fea6db1bf1a852a080d575b137dc7056635be88ab315bf1db3bb3d5b7099

memory/3148-71-0x0000000005CB0000-0x0000000006254000-memory.dmp

memory/3148-76-0x00000000057A0000-0x0000000005832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28A4.exe

MD5 970cde107776481252b1ee1d96fb1976
SHA1 879f5f6eeb6653a7e468f3f1d8a8d136db311052
SHA256 2fe1c662adbd885725d8923bbf81286dd9db0ef0aadb6b1d92329d15ad458cf3
SHA512 5b4e4d387616723440572f7663eb2d8f47475cc61e779c38f9249b07566d4ca60e21ce6fed5f6f24876c50cdabeb6176383b285ec7458221891c15adc7785e92

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 1b159fee94f49e50da540d2c70bdb412
SHA1 fa8b6fcfe71f716bb719b038cb400d7bcc29b26c
SHA256 88b132ebf36bd0451f56345998cb52145f45d4d3b0ba7dfdb05fc147afb891a0
SHA512 ad7424efb79f84acd287391d4f69a0d11ddac676853abe57b49f2612a703dbf5b72d0ea515a8933bf7c97cc3bc23c95cbcbda8d934c9a45b5b4a0e6cadfa15e7

C:\Users\Admin\AppData\Local\Temp\is-DU1UB.tmp\tuc3.tmp

MD5 e0a721c5411dcd418433af9a2c06c25f
SHA1 d21463ddceb77a1dd6c66f704c2625f90b2ddb0d
SHA256 ee4f4f9b9dd89d39c08a0d9fc2b4f8900cf0440d7e67c2f4b7fe3556c16c28e0
SHA512 62f2362eea9c586571211d6d9a94e1c0891008ab7747495d0d8ae9952b441e8d1f1d864680aa96e6cce854ecaebb78b09aa1063828dd7fc3279a115eea8a7893

memory/2748-88-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3148-90-0x0000000005A40000-0x0000000005A50000-memory.dmp

memory/4132-92-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3148-89-0x0000000005780000-0x000000000578A000-memory.dmp

memory/2748-91-0x0000000000780000-0x00000000007BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UG0QP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3176-126-0x0000000000550000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UG0QP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-DU1UB.tmp\tuc3.tmp

MD5 d52700c3a47a01b552b7a54a3464a8b8
SHA1 716b45fbf08a79ccac15a2c62192abf2adbf48bf
SHA256 91e8bedfa4b71e5d6210b36bf3f90a0a4eb94e4144ebf7104f0ac0cf607cb67c
SHA512 385a676748908a6ebab6fc9213868d01877b4890de4679ce6970c4e483aa97b6f4b515a84959dfabae015758183e60fb1f5bd348eb3178614f3aed64b1fda960

C:\Users\Admin\AppData\Local\Temp\28A4.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/3148-77-0x0000000005940000-0x00000000059DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 5afd4709041263facbf8247537db3ccc
SHA1 ad658ae96441e08e9dbfcd352eb8c95df9f855ff
SHA256 aca372f41997a04f3d97ed177ec3486f712f2c605d84e227b11188ab3c8ed856
SHA512 d8d34c0058f45a94658d31fc37bde6c4d420cb3f862b0c3fa0e8af71be2ae6fb17ff038d961088969e0d5293865f8ee8c973a4a00233a7d270c5c7b0751393fc

memory/1052-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 dcb7fb874c72646cfbb0a096e2f9688a
SHA1 66c85055785ad4f011c861783322ca77667584ce
SHA256 14ca86b6b0daa9604a4a8750e30aae628d212abc15a201e68ae2b69f906a10c8
SHA512 bd97a42cf745ab69bfc805a83f80fb88519022c765760c5ac90a75db97ee77a7ee5cde6a7f1318578909bc475914fb34fd6a055dbb3438b3e47242237f36bd13

memory/2884-63-0x0000000000C40000-0x0000000000C41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 02:20

Reported

2023-12-12 02:22

Platform

win7-20231025-en

Max time kernel

37s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BC6D.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1268 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1268 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1268 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1268 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC6D.exe
PID 1268 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC6D.exe
PID 1268 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC6D.exe
PID 1268 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC6D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe

"C:\Users\Admin\AppData\Local\Temp\4d6ec3c69ac5c29f445f22fedda91852.exe"

C:\Users\Admin\AppData\Local\Temp\8076.exe

C:\Users\Admin\AppData\Local\Temp\8076.exe

C:\Users\Admin\AppData\Local\Temp\BC6D.exe

C:\Users\Admin\AppData\Local\Temp\BC6D.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\C44B.exe

C:\Users\Admin\AppData\Local\Temp\C44B.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\is-583C2.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-583C2.tmp\tuc3.tmp" /SL5="$9014C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\D108.exe

C:\Users\Admin\AppData\Local\Temp\D108.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1764-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1268-1-0x0000000002A20000-0x0000000002A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8076.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2992-12-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2992-17-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2992-18-0x0000000007770000-0x00000000077B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC6D.exe

MD5 b0270b0b5746bd1579f9ef88ec748fcb
SHA1 f449b01510fa36eaf20aec0b3e408e6da76ae3d3
SHA256 13d5f9ab2a21aad3c088ba7d714b5f8b33e9d27fd4e1b9f83f8bbd5f592bb0ea
SHA512 d079f3bec18c612dfd752ffbfd1fb80e88652291233bff7d4bd8b6408892c9de6e9d7c6acb7f4d14136cac7afb57a86aac19bab048e261eceb277c63c114f53f

C:\Users\Admin\AppData\Local\Temp\BC6D.exe

MD5 13326db60f44aa18ba3c5e155c0a90b0
SHA1 07117d98483b55e8e09f8b5a56d54a62c1867ddf
SHA256 678dc35f3c14a74782b5933d135077e08d54cb3ff98e5b09b157707e4e438b2b
SHA512 bba6a7e54a53608a4eb52f90515233b633160555d1ca34d6b1bc773cf7d5cb368bbb4b6a836849939fd0e9f6bfd4ca57cb20c8e8c213c7520cfc3255b24a08cf

memory/1824-26-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/1824-27-0x0000000000030000-0x00000000014E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 24dde498cb7f5c49cb7e9ab1287ba25f
SHA1 6b37bfaedbad59d06a032d82a40f1e16df15d800
SHA256 a210cea3c85117b25f1e7600c08678d8d4010a70e73158c38365ccb50997f789
SHA512 64a7318fe1bbccf041d79295605cb94fdbbaa0bb6477d2f7411d55c7ef6e7d39da765d842a0dc83fc5768ec1390bb2f460ca0192cdf2ce812a435020c5fd1c7f

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 988634e7b1d35ff1a710ed8289e58077
SHA1 25bd505f50ef831131768a35419ba429ddf66832
SHA256 9861a4628ca20f16b22027d5cc34d956c9d477f700da608b11c15972e08831c5
SHA512 87c3b7f78a3f84a6bf42d37a9ef8153bcb4166ea34375baf16afee53c16c89e584e31eeb96fc9a8fcd44e976f47d8d2f12e7f53af80df40283bcbefaebb08eaf

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 895dd4943a52e4cdc206474dd41ca7ba
SHA1 40612b92b565901b81bb0059680741a2205c6626
SHA256 26b165cc58791004317b412cae924e7697ca184eea8c1f2adfd848990e012f17
SHA512 ec7e3b299f1064db07e8fb7244e381e8a026edaa94d7b9300342e9451ead7200a6f545dd64cf03c2364ce1047be569420d6e029c4af36f69c0f6c0210adcb1ba

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 67e7af7a8f74a2ed2a3a3104d4c7f0b6
SHA1 7948532e16742458b161ac9ba3fa6e8c41afd29a
SHA256 66862a5a0e166ad2dbe72e0726670d9fe8e96e38edf0cdcec8ef4302a50b6b05
SHA512 15361392a4e7cda2f0e175da0e27e867edc08b4472034305be8d6f44c7598d1fdd14c07de20718468e6eb6245cf69994b21383d8e983c1900c6d5d3e0f654f65

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b903c99b5c2acaee37372c41154fc2d4
SHA1 acbdc2f9cb71df756b2e62f1bb367c1b59300f79
SHA256 9603763474dd80bed07f598a6873caebaf6d375d80b7b43bcda74e71b143d5f3
SHA512 e43d5b7951c6ebcfbc54883d6a2b1e1be46017d6a6ee2019029691a1ad7c6003d1d8c4ec862f07812b6a53d2b09dc675c914c91457f86512574b9316e66c51c5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6e887bbbc2d739f0b5a08e6b84676fce
SHA1 a2be8cee4645b136bee502b47f11276caa51d881
SHA256 5d39a26acc18db55ef4a49c96053fd882f4c99b3aa802436b2dc267e6aa1c8d4
SHA512 29f3b5a877274babcf098a0e915a8accfd56a022ce23ea60fb950477b0d4a24219802bb32d96c75d0f43c1a5d39c7f11c81402b0283aa2b7b5ac1d2c2fdfe5c4

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3dcb8c96b10d381f1dcc61c824d0a047
SHA1 4187b0b70c4ed5553f777c57f2ccde996863f8e5
SHA256 9d8358ced741b17008331b6dc108763cce9d5a2f82d5e00ca223877de1cb525b
SHA512 c17564d063026b5d9b6181b44ffaeb2389d2bb4711cd2438dd595629acbf8e4b1a41e4ee1fbbfc6e47320196f5cb2b81df865d3a9824f92c76bc96b32f803e74

memory/2332-61-0x00000000746B0000-0x0000000074D9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C44B.exe

MD5 3cc34a29a22cfe16ff59334af42c3fa0
SHA1 6f2bf1a8e1105af8822670e52a94144ed8a43181
SHA256 0a492d1bea907b399166e039a18c02a744bf8bbcdbd0ba98da8f018acaa42e9d
SHA512 986d92b261e802033bdaaf9592e9730e2f9b46238afd7e817a023d960c8078259e170bb220721ba91c3737345b50d5be62be7779a87ab08e29181514b545461e

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7ba6ef577579114a96ede453c426b203
SHA1 e8f67ea46a1d3afa6eabd8e1b6ae21934a049ad7
SHA256 2d7a99aef2c7a1e7140e1edae0af477e9bc7e91f148396d017a6702c80f6bfb0
SHA512 2fa868b373048dc471e6a47cb7f08dc834fa0111fcdae6b72bafea06f2b0cccef29a7a53c351cf7828b9690c4ae7076ce6e62ff7eb9fae4f2052bfe8d81a2310

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a2cc378036851c930659ee741e9901ee
SHA1 25e10a62fe1930c49118238bf29700355dee925a
SHA256 c79d976886dbcd812acf8568ddba3e1a636e8f6dc0f19f5f30d77e8492766dab
SHA512 9fc105ce63ec4a0b29037fc1a2521d3a3289b4f17812b65e38a8a9878f1eca2c09c9594f9ebf19c9d270bb7623680f21cfbff9d5e07b2b1cf82bef2c3d3d33df

memory/2748-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 07392ad9c1e31744e8567b0ba67d072e
SHA1 4434b6908addf5eaf328d014cc018bb2e0ab60f3
SHA256 afd3a370c429f65e1a81237f48f69cd2fbd3e992044738f1d86b5f6867d61445
SHA512 562b8ab7fa4a76c8603be25a7885b6403c0417688a7d25190b3d5dcf1582f6df5e6fa08a8d43b945bec1d843b81e8ccf69bdc4f2e16ff60368d4e64424e7c2fb

memory/2332-69-0x0000000000FD0000-0x00000000014C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C44B.exe

MD5 228e93ca16b4251ef79a647e3c924570
SHA1 3e4192554e297c215905426fb099f7d0ce51eedb
SHA256 d2d7f0d60c9f28a7e69edbfe3ad8667a8c718fcf710050e96b46738f3d4d22bd
SHA512 81eecdd4037ef7c3f4d20462a8f5ea3ab93d82f498d1511ed557fc76c23283d7c84c153dc699e9321b7f59277dda97623f41766b13766b42c2b97a9de6234cda

C:\Users\Admin\AppData\Local\Temp\is-583C2.tmp\tuc3.tmp

MD5 b27522e5b9fd3ab1a6a9853e3a76f8ab
SHA1 2baffa177e20c5905dfeea0ffcf91ce3cb350c33
SHA256 84603000a9df7419da05d9105935ff587ce54d953874cf4feca145ea0ad3094c
SHA512 28390ec335258669e3f6acf231a4d6bd3a797b1e0af9a67209abc55d0f38dc9a120b7dc91f59cd0298e2cbede864f869f45732f5e7432a45e82cf3b8e1e8ab03

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 bd4e842dd4381fca7c62a0c2088d2cd7
SHA1 cbe84011c76d2253991ea67ba5c0872e1ce1c0e2
SHA256 4be2cf0a19e61df44131e3cfb15a425008414b94923c77667a810e377eb53f49
SHA512 d066619b567d76ecac98c65a77c2df17e89ec67f9ee62ff83cdc8c07948ddca065ffdd1866116dcdbccaaa5891e2501dbb9dfe2876f4a645246db68761a896c9

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 9a934cdf4a39b5dd1a6c79aa2dd63c1e
SHA1 5593f2553ca2733fbf1fb59129ba0f6b743a1cd9
SHA256 13e0701baeb94348bfbea21f0061b1135c0f731b30e6d73523869cff1f353565
SHA512 93fe10c93c8fe5fa27b0caefadf2e737f8fc199daf9547dd8d29e6f12ca544e34dc9d3266fa151915fc43d107d818cada3c9f4a3f39a3cf3df64f4395f34ad16

\Users\Admin\AppData\Local\Temp\is-3HSBP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-3HSBP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1220-94-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3HSBP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-583C2.tmp\tuc3.tmp

MD5 7fcd53d6c85d1c88b967fed3f62605b8
SHA1 972dfc554fd0772f2f8ca87faabf42ca6c5b3013
SHA256 69b43d64c8fbac3528d95f3a2587473ca13d1f35a492b20b3761a520fa84ab6b
SHA512 278f9e69a32f4860c97bfd505681eacacf216c29880ee4a4b233a981a18ad5f1892f8c0ec93d2313990feb0bd6a215b084af63c5a9fcc8f41279f7a0fbf94321

\Users\Admin\AppData\Local\Temp\is-583C2.tmp\tuc3.tmp

MD5 2d1ce4169b0730076a08f549df243966
SHA1 81548f1aa49e95c6c8c6ad17f897cc66843baf2c
SHA256 778decd20b29af24befb0010ccdc423e5a9b36e16c52685a02bcb5eb2d899329
SHA512 e29c2fc7dd708354ece92a77b17b76d2376bd46a430037301ad1c46fc5a410256bbaba4ea15e84e2d33ca5be7e0b69b151b5de9e1f6dc65b3046bce51046bea6

memory/3060-72-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/2332-107-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/2912-108-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3060-111-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/3060-110-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/3060-112-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 6a9ae7ff9b01317f3a9881aa85a64507
SHA1 f703d9307290ffbc7618e718b6600a75b55b4212
SHA256 0981b474d1b60d9a40850805fa2954b24c2c26a0af93e2aa79d8036c5436cb5d
SHA512 c49c4d3da29c099cb076ae7b3083f2a3a84d2721df546db3b3dc10d8a356c6644060b673f493e2f7ea9881ed6a625064daedbc0cb6ff48ed91d1bebb8afc4564

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a5b195cf209b352e2a0f800a3aa218e2
SHA1 7b159b8a0b24546d421093e44834d1f320eb2b26
SHA256 acc00981b32a6e34616a8081110bcfd4fc1d033b6570a782e875e7768cb8327f
SHA512 56717fce9b41f8d349228deaec68da9a4373d2ae378fc1dd372f80e74762bfdfbc349bb5f5562827003feb9d72aeea91039f758ee3ffc78d64b496a72d21a71b

C:\Users\Admin\AppData\Local\Temp\D108.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2992-122-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/584-123-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/1824-125-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2992-124-0x0000000007770000-0x00000000077B0000-memory.dmp

memory/584-121-0x0000000000AD0000-0x0000000000B0C000-memory.dmp