Malware Analysis Report

2025-03-15 05:04

Sample ID 231212-kkq1wshhfr
Target 0x0009000000015c89-47.dat
SHA256 5efa3e3fea37dedfe72bc279d46ef26675f978dbb83407c1320ac23f0dc6241a
Tags
redline smokeloader zgrat @oleh_ps livetraffic up3 backdoor infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5efa3e3fea37dedfe72bc279d46ef26675f978dbb83407c1320ac23f0dc6241a

Threat Level: Known bad

The file 0x0009000000015c89-47.dat was found to be: Known bad.

Malicious Activity Summary

redline smokeloader zgrat @oleh_ps livetraffic up3 backdoor infostealer rat trojan

RedLine

SmokeLoader

Detect ZGRat V1

Smokeloader family

RedLine payload

ZGRat

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 08:39

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 08:39

Reported

2023-12-12 08:42

Platform

win7-20231023-en

Max time kernel

38s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\978E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D49E.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\978E.exe
PID 1192 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\978E.exe
PID 1192 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\978E.exe
PID 1192 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\978E.exe
PID 1192 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49E.exe
PID 1192 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49E.exe
PID 1192 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49E.exe
PID 1192 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49E.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe"

C:\Users\Admin\AppData\Local\Temp\978E.exe

C:\Users\Admin\AppData\Local\Temp\978E.exe

C:\Users\Admin\AppData\Local\Temp\D49E.exe

C:\Users\Admin\AppData\Local\Temp\D49E.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-52RL5.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-52RL5.tmp\tuc3.tmp" /SL5="$8011A,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\E736.exe

C:\Users\Admin\AppData\Local\Temp\E736.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\EF32.exe

C:\Users\Admin\AppData\Local\Temp\EF32.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1700-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1700-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1192-1-0x0000000002A10000-0x0000000002A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\978E.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2756-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2756-17-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2756-18-0x00000000075C0000-0x0000000007600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D49E.exe

MD5 ed7e283f0f0414c9ad3c07f898a20480
SHA1 966b2e5f9a9f5fd2dfe2e32922308a4d8ba483fb
SHA256 ccc99b9262222b3fa29dda2deee4d87ad0a24b709b10aaf12b8f0f5aeb86abc0
SHA512 31b36769f0bfa315da08bf3cb8550429499ac389c0ebe37b3eb8b218950c7a9faffec4b61d64924af383f1da38f79a049c7aace3f1450dc89e6138139b077c10

C:\Users\Admin\AppData\Local\Temp\D49E.exe

MD5 a78427127bd88ae07486255e8f874e69
SHA1 c0d14e0cec43050b7279a9305973efc78f70ac99
SHA256 86c7ef1e8b9b28841e5d0d345d20dd63cad156977ca8b279204a970b5e2e5774
SHA512 2dcc97502af7a884a92b59dd103600fe9a073b51f0556fd9f4e0f5626e569bf3537e474548097fb66721de8615481b74aa35a54719e6e9012acb4ac22c2bd021

memory/2200-25-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2200-26-0x0000000000EB0000-0x0000000002366000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 067ffa779fe715ce3656f4d3272fe385
SHA1 4287a967cbcef25ec7b9c000c3958a5f56b08fc5
SHA256 35849f2ef64116c8fe9eeb134bb60a5ae1eecc488eca5995b836fa1bb7a1ed71
SHA512 a98978a0c9ebad023072a161886bc19878bc531e9744329e77660469e1d67711218bea4a4796ab569825e37f19bf407b11daef4b28a7ac0861cf1a9c5ac46a49

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6200a658245d0bf4fab336e6018a8fef
SHA1 c4bd77e3561eeda70eb68432fa0b146e8777a648
SHA256 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66
SHA512 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 626c90d2006b8aec8b24c6b64b282a27
SHA1 3ce708d75f46d6b3526a53a21de24492b902d91d
SHA256 6760a8b7d3820665ed3793249ab3bd34b1511b8477a27d352d364db39bb080ce
SHA512 f15684956cd4dcb45ced37ce3174a1209ba6513ba8870d4b0ee5ab6a0f0feea6da25b8935cf0004c0019d22f5eccb3690a775e76a4d2762273bd5bd51b85ba29

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6a9698454c816b4551acc22661d3d32e
SHA1 5e8792731341871e8dae265a6d4b6f91b90cebe0
SHA256 b0cc719b8c585ce1b9b11e0a5d2a2165352a374183b1c6d18b1d14f4ab0ba323
SHA512 2e24ae4ea24e3fefa4f8739a39d76ada880cf6cbc17d26e5ccaf9271fb6dbd0adfe7cf1f5246b24000995afedd1501266c9cb48f3f6e7dbd57eb0bb97eb03f63

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7e41a1c24fc929332c543bbfcfe35e1c
SHA1 24bac343b1f9274d58000338ad6ca952d279e506
SHA256 a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe
SHA512 3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 aaf0d06ceccb469fec1c830134c5fea0
SHA1 7809f4da67bc84275185626c9e38218622b3662f
SHA256 4cbf0e4d8bc8e406e543131db69d4b92db8d4975d7b7c31843df86478f17ffdf
SHA512 382d6faf808abdae7f1eda85bde91813ac08efbdedd97d2262382a2d872d45e0ab98cdb0f7b491e8097e203c977183c54be08e552f12a19b856a9fcba8a3c3d9

memory/2852-59-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 cf8d42b9d8b06cd89b47ad082312bd77
SHA1 41334fcd3f7e314d1b7a5bc7e8ddeb2370c1d4db
SHA256 61f29680633dfac734c7ac1af5c9ba8df8ebce21a72457c20500e645ae020daf
SHA512 a180f8a329224d0f89d5f641c39fb26bf1a1cfc0d9f92960a6bcd91b2118b5dea6e2559bb6423d3c8a098d5853d377bc09ca8b6847e877cd0cb7fe53986f1267

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a4b601d1e12fee71448df21c37e4f5e4
SHA1 09129e0f875319cd3e5e6722db88d07b6e8c5336
SHA256 19c215ca68b0bcbc34e24c1eb64b76661bd82db082d0512a47b925c790a7157a
SHA512 3e8fb5a99057388ab71b41fb20ac081e529fa155294a14052d91d86ee6a6568216afb932703719667848b3d6700f3af18ce0b4652877975dc628ba4fd62a6f69

memory/776-63-0x0000000002520000-0x0000000002918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f673b327203f45d0c12815e59a175ced
SHA1 105c6133f8d4d05dd44ccbf2214210b2eb45be95
SHA256 70b4a85c674d6b17bfd114b2b97adafcb07ba97586b62d59bde8ad179d3d9be8
SHA512 de74814594a5405603ff38b3377ae84d1bf3c2bd7d737fa0160c6e4f45e27058de75115fba468ca0f3f7ab01ffa66689d193af29c451d3684bfbf925f62510e9

\Users\Admin\AppData\Local\Temp\is-52RL5.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

\Users\Admin\AppData\Local\Temp\is-TM9BH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2160-86-0x0000000001290000-0x0000000001784000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TM9BH.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-TM9BH.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\E736.exe

MD5 39447fc7c1f05855bc59aa70fbc42cce
SHA1 b165d9aea0bfa3898cedbd75d3ea47e4fde0bbef
SHA256 ef7e61b8caf236141508e085f34e7078bb1dcf722cb8d894c57fb764ed6e12a6
SHA512 9cf9d596b92096fac1864be721653922213351206a87defb4a6d024a45860802d6691c385462758c30252407e77e95d04f0addb63c8c77c53bdb910d6a9cf85a

C:\Users\Admin\AppData\Local\Temp\E736.exe

MD5 a94760dff5c15e5368a32883c5a89cae
SHA1 e119f3a913d39134467b4e3edf5be0491e6f7c46
SHA256 2304c94ea9a2a2f04d631cf57c2aa80a2d2bebf87bc38a32c9c2fe00ee71f402
SHA512 fe1b74b7c2c2353b81c197ee245b94f38fb101287f1be31ad554842434743e819afee9d1a9d30bc73f81f72d5e2e714ca3dcd8206712407be471b702ad4976ea

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 5fe7c828fc272d1f8688baa389860f53
SHA1 e4b0ffc7be4f1aceb030d266719f400c0965506e
SHA256 04e29d8396be2c097e5840ee7da618289672ca320bb9047c58f53df7de13ccbf
SHA512 5240df6e86bc59b572c8bb4986eb625c54caf18934808832af84cafd576f013277562b6ed1817ac6454d03893183880e579ac59d31ba3a23c673ec4b15a87e32

memory/2216-94-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 a8efb1d721a108665053cd29559fcf79
SHA1 d8adbc88cf919fe45b52b40f52af2cb2d1203416
SHA256 4de771733f31e186dd3773427d376dce0e4aec0c2cd3d3e8caf43c9c580d33f1
SHA512 9211c3538162a252ac305851461462c3b1d6dad8d6fd39ff2c8038666a61c58cb74b110881685f2dea87457a4524d45b8553d949056a28990a52ea85e6453c81

memory/2160-96-0x0000000074DD0000-0x00000000754BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5dd44d0509871eec95c758d40f525d79
SHA1 73d493c6884b96f179180e5850d6334a7814c930
SHA256 fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282
SHA512 ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 ce5f20eae06ec8eaa08de1b12aae5a87
SHA1 4e8479eb3bd13115e5a3c709209a77df720725d2
SHA256 b41f8594e75da1111c6d4bec9d872a4383b88b79dbfbc44ecfd8494669d2db8b
SHA512 01f9186c6abb4a6fe991c3b663b831acf011cad460eb6609bee3d93c7988fd80de5a1e70eb574aa37ed400dd43af85703442b7f3889b444a92496d557b9488bb

memory/1508-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-106-0x0000000000230000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF32.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1764-114-0x0000000000EC0000-0x0000000000EFC000-memory.dmp

memory/1508-125-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1508-111-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1764-126-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2744-110-0x00000000003A0000-0x00000000003A9000-memory.dmp

memory/1764-128-0x0000000000CE0000-0x0000000000D20000-memory.dmp

memory/776-127-0x0000000002920000-0x000000000320B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8ba072969aa9c0454ff0960e420bd14c
SHA1 8eeffcdf8c9af76df5d8a9812aacafed2ee79e86
SHA256 37caeaa0b65a8c7d4b858627413a96c39e9b00ffee3664973c37c0d709c20b1b
SHA512 37a61d0875edcbbb3ae2a79b7fe403df5e93286f2a219582084c5b404ab9058c11a74cf7f801809ddc20e452397b670d24a1ba9d255617ef5952a5c5269ceb2a

memory/2200-103-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/776-129-0x0000000002520000-0x0000000002918000-memory.dmp

memory/776-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1492-131-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 08:39

Reported

2023-12-12 08:42

Platform

win10v2004-20231127-en

Max time kernel

42s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59A.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D002.exe
PID 3304 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D002.exe
PID 3304 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D002.exe
PID 3304 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\59A.exe
PID 3304 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\59A.exe
PID 3304 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\59A.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe

"C:\Users\Admin\AppData\Local\Temp\0x0009000000015c89-47.exe"

C:\Users\Admin\AppData\Local\Temp\D002.exe

C:\Users\Admin\AppData\Local\Temp\D002.exe

C:\Users\Admin\AppData\Local\Temp\59A.exe

C:\Users\Admin\AppData\Local\Temp\59A.exe

C:\Users\Admin\AppData\Local\Temp\C61.exe

C:\Users\Admin\AppData\Local\Temp\C61.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\1163.exe

C:\Users\Admin\AppData\Local\Temp\1163.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-7V05S.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7V05S.tmp\tuc3.tmp" /SL5="$6021C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Users\Admin\AppData\Local\Temp\1D2C.exe

C:\Users\Admin\AppData\Local\Temp\1D2C.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/3116-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3304-1-0x0000000002B10000-0x0000000002B26000-memory.dmp

memory/3116-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D002.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\59A.exe

MD5 15dbb7d7cc684a76f40e2ae2c7f6541d
SHA1 aa964e6c73a6f81e2cdfa11c1df86d797015dc78
SHA256 6b0309c4fde6da170a27bdbf9659e53af2bd036edb934ac11ff19db0691dc8f2
SHA512 ec5f2bdd5801ed3349c77878b40be11f36c43b79c1d0baf7561ceaee3304ee5e6045d7e67ce6711fd2c512327b606dd107fe7ab9ce09d0f861533d16de03c87d

C:\Users\Admin\AppData\Local\Temp\59A.exe

MD5 5c3997a5043a6560a80fea925ea9aa5e
SHA1 88ecdaabacf59644ee6bb7364f0dc6f755c708d0
SHA256 60bc5f46cdcc37364957d8b28740fe4e7599ad3fb7b481802fec4581e0b4cddc
SHA512 64214fe4d41fd28feeef4f1072965cadf2ce27e6dc22fba22d69fd28c2885bc791eb257dd63f8d9b12b3c224b28cbdfc66b7459cb175a5b8aa0c4c8d2df9d7e6

memory/4356-16-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/4356-17-0x0000000000E50000-0x0000000002306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C61.exe

MD5 bdbd2dd3b5e98212df99f62f81c4ba36
SHA1 5afd2e4567104f1e08077d050479b13894f94d2a
SHA256 04e1560977296b578fcb530cb3cdeaf3382c0726de7e36a23339df76f197ad1a
SHA512 268e175deceea3cb985dd98b25b1ea954cca8b9952e8fd1e5a4d10ab18fc10b89b2f3ce135879f832652a2a190ad85646c32c6832512f4b2b8e2d23be6ce9654

C:\Users\Admin\AppData\Local\Temp\C61.exe

MD5 3f443e759aac3709bda45b8d0c4dde69
SHA1 e79e13b130005ff717cceaa91ab96a4bea1c7111
SHA256 b46970903ee7adbecbe2223abd6da48817e79c65aa4f753b5d27db47eb40ec6e
SHA512 8e239e7807899e4d8226d539f717892c71a898414cc42994879c31ea9bff0ef566fa53eebdef92faa5f494e143a542be7586d78ce5a743b52e5f5d2b9bec20b5

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 b8556d2e07d3d8adb2d2951f4dd8c034
SHA1 a64b3b528e5466634ffc4097cc7e2d5565cac618
SHA256 78c06ddc91ae5855fed09b60f45a57137112c91b345a346834daf2019d118cac
SHA512 edc115aa91cc1c473cbcb7d44aa895188351dfc592abcef32a6e5add65253b613f6f535d76ee6001dc1087832d65efd1b9ab6e6201e38c69dc342b77279dbc98

memory/4608-30-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/4608-31-0x0000000000930000-0x0000000000E24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 725961f3d1975a6bae510ef3e116142c
SHA1 dafe1a6d94784f1c9b032d7c15339cb7c5883d33
SHA256 abbef6b37881008c96025b52251b503dbd7954fb0a2f5225d6b393a6cbe80500
SHA512 1595699b9b48e5c8fd9f716f5386beb760c59987609edee0117e55ab1b005f6f4cb89f84298db7860ba99076244fc70690134ab95ccc1444c1c797be0fc5c848

memory/4608-35-0x0000000005C70000-0x0000000006214000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f2fb01af06621cd8e3e3d80b41be341a
SHA1 5b79ea0f035df30e7009f17fc5cf743db8f3fcb7
SHA256 fba05065329d4307a557ba910dcb11453e3e405f13feb2e8a27f12c3a6bc0760
SHA512 639617e25e4934dcb94f55909f87a7e64f077bb7b5452a133f95f8ea25d0edb42a90c625c36b4530d826353bd2a75f3f103d81051514b423f85eaec4a373d112

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 75a6dbb8295d1ba491e64e09716b073b
SHA1 23988410fb178de457066a9c98e8920fec1a0c05
SHA256 3f5ed223a0c9a89090cba5fdd55ab0da2d3cdd2004b1afaedde317ac6ac4d4c1
SHA512 4606c1fb46e9132f5e0134c93b28825dcfe35f4929c5eecc9c59b8a28111f5a40929c36d70cd6ae7db36387e85fcb25899f31997d0df5ccf64392f897a0fd854

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 99fbd062ef4e095536f33c3ff64769c8
SHA1 942ca095281f8c28c15154ebd4c41460d1b422b6
SHA256 31f4ff48ff1ef4479f4c9d9a46a89bec4f9b48a13629690e71be07bc387cbb53
SHA512 cc1da872972663f42527182bb6de0b82c1ce6b371aeef17cc8e1a7c09ee87f8bafb377fadc3426937df6676f491651b2303f8176050cf6170c5da35ec69cc2bf

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 bc402c468bd1cba9c617b2c7dfc2be0f
SHA1 1b9e1074c368f7edc2aca248b84d525a6e2819d2
SHA256 c28c1b8614f3ce25ffa611b87b939d5d06fc2c020699f4472ac287e213d2eb76
SHA512 1e3a90f362c691e6f37b9c434402cf16917be0b8bc2982a71b36ac836d8f1ac1b236123f56339013012c13e5115ec5cfaf62d652feb3029969ab3a526d809dea

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 28a4dcbb5556ba0e02e0189c6c5ce76c
SHA1 ef1468e3d77e4465d262342946ab0a028589c362
SHA256 727b8587292ad4934735d5546db0968e753601b05049724680535c86f8a50687
SHA512 dae69eb6ba7fd1783f339f5b5291dc2ec2aeda9d4a03e2222d978da08b233307f6f5cbad0c2e652f06728e86c2e24636e41bb3fdb166781f03d486f9f022d114

C:\Users\Admin\AppData\Local\Temp\1163.exe

MD5 364aafa94910021e20d6afc66571af3c
SHA1 d55c47e8e6a6e12771273ce3a748d9fc015261ee
SHA256 e3486af3d8ffe60f158ef2f19a3088ed6c9ae4752357d3e858b4a2ecac395dd1
SHA512 5817c7696218a64c6a8ca4793352357f68d90cc6f483b1cc27f3567cb732a9d4bfe0a621ce99cbbb44167d564aa32a397c05addca2c3ab5ff267ba6bcac13403

C:\Users\Admin\AppData\Local\Temp\1163.exe

MD5 00a40622139eb04c8e8b3d405b0f6915
SHA1 3d37b67ac3062e0135910564dc319d6e3187efc7
SHA256 b26cc4248756b8b58946c0acce29ded6cdd2067ef3e1e42d2ac3f0ad58c5a402
SHA512 0cfb3e9519d49f39e283ad92be270f4f61d508c50327c11192e97650c48333652cbe65af6e94f9578424d86df04e600a8b9c50c0b09d3f3fd0e0bdf7d2a0777f

memory/3928-64-0x0000000074C80000-0x0000000075430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 eb4e73395a3cfbe89da4ace411710a03
SHA1 9dea23190ffa58d663556feb4c6258ae7cd58ec6
SHA256 2d61b5ddeb06c31a668b9c05d8bba3b7c725d57ecbb690b0a5531c6c778028d9
SHA512 fa5b01543bce06722764d977187a9fa4187185f5ed014275feb5de008af3877ce7aed261954a0516ad9d20a815890906c4dc8b2c3d16728478e88742eb2ef870

memory/3928-72-0x0000000000860000-0x000000000089C000-memory.dmp

memory/3860-73-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a9c6f685ca4980606c2c149025396590
SHA1 cbe9055a524372f642b4efcf35488905ddc49889
SHA256 e1a97ef97ddb3b82390f5931a79d6cc34e260d63575338df3eb463e93104c40e
SHA512 989b4360133f619085ccf9bb361f58634d46a2f6cb1133b56392d1d94d942edc2f8483a406aaebd9338e448f30d6433dd95821580daf4a09a380d97e9381bdee

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b0b2ce2724ad23b010bdb3837973884a
SHA1 cec9c4e2e7f4f8e9b6e16f17548a803d6ea32d2b
SHA256 3019a517251d37a4a81f6676656e1a201d17742da6518305c564cd5e775a36b9
SHA512 38cd0a20bf5cd129d307ecb29e69290e4e9b986975a8adf39eee4b8941b5c4cece49ba35b2cc9774d3e43836ef062b030a67c0b65eb998ffaf302372f6b0371e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3d52468165b65f9dd404919a61883f07
SHA1 3aa2eaf4e233f0c8f5404b8f66f9c36098778ea0
SHA256 34bf7afa7d8e930e757b53cc5748eafe9c7d41d0ba718aeaa421e8ff90ea2413
SHA512 d58a95529279d2e23bd6dc774a2debee0c9a3db2fca5c951a303d79484b99278b34a23dbac74ac3a1f0c3ae80e3987afeadc2f3621dffb0c7c32d82a52dcdf0e

memory/4480-78-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4608-55-0x0000000005730000-0x000000000573A000-memory.dmp

memory/3928-83-0x00000000077D0000-0x00000000077E0000-memory.dmp

memory/4608-53-0x0000000005740000-0x0000000005750000-memory.dmp

memory/4608-43-0x00000000059A0000-0x0000000005A3C000-memory.dmp

memory/4608-40-0x0000000005760000-0x00000000057F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 260827efa32cf41ec4caa1eebf02cc36
SHA1 43b0cb7e94dcf32abbc0642afbe4f5f4720b93f9
SHA256 fab17d1e92a42b6ebc6a51861f2364e008e3453c985f090566cbebd867397502
SHA512 feeb1fd632b96867105a9035de8028fe4a1516defe6a937386c6e9282ef1ffbb05a9a4816952999b5a32bd81652f9f8e940c3d947f2da9d80409e8fc02768cbf

C:\Users\Admin\AppData\Local\Temp\is-7V05S.tmp\tuc3.tmp

MD5 54bb0d4e8255b55f339cb4e20b537b0b
SHA1 9b8957c8631a57142545c9bd1229cdae402bafea
SHA256 82eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8
SHA512 da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889

C:\Users\Admin\AppData\Local\Temp\is-84PE2.tmp\_isetup\_isdecmp.dll

MD5 90535d1e7af91efd6de4ddf6a68ef626
SHA1 20c593de6f29ac00c3b9c24a9b760ed58ac66fb3
SHA256 ecfa67ac0c82d2daaee36c3ee54c01d804fbd7bad85c1f52a07bcf38cbdde25b
SHA512 a9ad0bf4569157f73b27e3be02626d7063d43b8b4723d57306dcd0f79ffddd1a79589e8a3cb616e0cd0fed40853270b7cfa19d78aab7cf86964e46193b4da9a2

C:\Users\Admin\AppData\Local\Temp\is-84PE2.tmp\_isetup\_iscrypt.dll

MD5 30f56d3dcdbb4cee25cac7637364c580
SHA1 99fb8bc836254b3d273fde24225fdecbfbf58253
SHA256 24925300046609e14788b5a383ecbf2b11eeb555bc8b2f99ed0729cf904e0128
SHA512 183246d537305beb844dc9e9b62f400f7a565b38f014cf31962c373be5fff892b48dfeb59a552a15b94dee7d687c2bedcc3e283194a9e4244183e7bca1a1f121

memory/3928-191-0x0000000008730000-0x0000000008D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e0cf3db8ce083736035ed1429dded0c6
SHA1 10b784cf8218a50b6f6631098b1f165dafbc570a
SHA256 418bef91323d482fc5aec7341403102209523c028e141baf4a67fcc83e861de2
SHA512 437aa3b3d8ef28020c6dc0494386bd8ad23945d6fe65c7eb4f0b8df18a2cbf6a61462ab67dbf5f5d005d59883b52f528acd3a31ffc939cabdc21fae56d1b0967

memory/3928-236-0x0000000007A40000-0x0000000007B4A000-memory.dmp