Malware Analysis Report

2025-03-15 05:01

Sample ID 231212-ncyybadec8
Target 0x0006000000017081-699.dat
SHA256 a6e75460353f930fe37074adaa5e317940b28cdf40a87493101c3149cbbe2bc2
Tags
smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6e75460353f930fe37074adaa5e317940b28cdf40a87493101c3149cbbe2bc2

Threat Level: Known bad

The file 0x0006000000017081-699.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper infostealer loader rat trojan

Glupteba

Glupteba payload

RedLine

ZGRat

RedLine payload

Smokeloader family

SmokeLoader

Detect ZGRat V1

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 11:15

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 11:15

Reported

2023-12-12 11:18

Platform

win7-20231023-en

Max time kernel

50s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F6BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5014.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6BE.exe
PID 1328 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6BE.exe
PID 1328 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6BE.exe
PID 1328 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6BE.exe
PID 1328 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\5014.exe
PID 1328 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\5014.exe
PID 1328 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\5014.exe
PID 1328 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\5014.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"

C:\Users\Admin\AppData\Local\Temp\F6BE.exe

C:\Users\Admin\AppData\Local\Temp\F6BE.exe

C:\Users\Admin\AppData\Local\Temp\5014.exe

C:\Users\Admin\AppData\Local\Temp\5014.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp" /SL5="$C011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\8A19.exe

C:\Users\Admin\AppData\Local\Temp\8A19.exe

C:\Users\Admin\AppData\Local\Temp\9EC2.exe

C:\Users\Admin\AppData\Local\Temp\9EC2.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1328-1-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2944-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F6BE.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/3068-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/3068-17-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/3068-18-0x00000000073F0000-0x0000000007430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5014.exe

MD5 fa8680202313b89083326aa4dda9680b
SHA1 8249b5081ecf4a1bd7f2f94bbfcea3a824f2f9e2
SHA256 190b24488443155ce89119e7a2df2cf18c3714732dd1e3999af4d1091016fb58
SHA512 960115b97f7d3b09ddcddaefd9a0e365bab721c1e15f34450dffd2c47c577b29949be699b4090274d8c07411757f156434a74f1558a796075e9ee383c70a77ba

C:\Users\Admin\AppData\Local\Temp\5014.exe

MD5 9082c31e554840c3795c2afc093a873c
SHA1 a654430ddc1a55d0d357647f0690e502c7febb1c
SHA256 a380fd5028c4adb5a9149b6f71c35632060c96e3bbb9b3a05946e0067e5b037b
SHA512 d5d0ac48b922970a18f80708404ab8c87a4b9b94dabc0b45aca19c4b0eef5e116d031856640d0de981833c2c018a31074f2a8755b58d01b1c23f867b1e9ae796

memory/2688-26-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/2688-27-0x00000000008F0000-0x0000000001DA6000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 426b54a9126e36ea0a0155b803c622aa
SHA1 ae160f291062b2a7515969b05ba73eb0261bf46a
SHA256 fa0e51c9a8d761b195a6fbb72758376fd6438e32f3408eb8ad921a07bb99234d
SHA512 2836065a96c7699871a76b3a49f8f94324b9aa543b81ee8f0032f8923c48b1cfeb9cea1c14b2794c0074c4b0f8f1227e5e8477f30d3868648f2528848e8ddd1a

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5aea1b8e8299dda8688663788d1bf770
SHA1 3afb4c592f99b6a99de407532fef2831ab8a930f
SHA256 e15b172d6fad36154885bdb3d1ae14d71d989d6ba515f6359096dd58816b4e19
SHA512 140079927980d2c4d8bb90ca35596e25f164b8a42347ea2c39773356ad9f78d543370780545a5e1059a997b1b0d3f1caafd71d1ef30ff38494bd4a89b49d7573

memory/2208-58-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 56ecb2ab61b396586fb0e6dc0844990f
SHA1 1040ba497f46107a5c95824f3359f40ec66429e4
SHA256 f03de4b928808c3e43c2905a68a2e9a707d5f537553707b0a2a57f7e00c4cfc3
SHA512 57ffa0c6b717267607e5a7f6274594bcde4f0c32030b75b3c2b7649f52169a95baa42b4153a35f8e55266fb74e97b97c441d50ab0fafd1313a307b1389aa9ff0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2bf993fa5e2d87e20a4218ab549b262b
SHA1 d1d16eeb3cb5f7cae33d30583760dc4f443031d1
SHA256 89a3b99ff05f5d9a544bc16c6a54297879389c05efa4ef95fc5a833063ed342c
SHA512 8126c428b55715cee416dd2c65d6069f71db692f6a533c0edef582424a927bb29d9526dedc20fc29ecc5428609427286e8196c093ea346eccd9bfb9a8d2e097b

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0d20a5253d6047514e8d1fd41c684ec4
SHA1 6b737ec431ad97be9a87035c1093ebd2658d65c4
SHA256 fe8765126fe48275d33647f34480e760aef7d63fece8609229747230d6941139
SHA512 15db4de6977964d3838b6f31ed5a4d726ce34d08c0b47b3b46bc18f43cd91fcd55bc6b1c1a6dbd4ea4eda89ba1ed557c97642ea7d152fd3b3ea41a272923a15f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2dd30fad843742d6b312990ab0a67e77
SHA1 3080ed00aa729b4ffc6bd46ddcce4be1e545b51c
SHA256 1bbf10eb9eadf14518f88aa598ddf9a7b499a3247d971a1971ee752a74f02fd5
SHA512 58c19216432e5567edf0a6ddeb975b9d22f61ba8d567104b52cc7d8a6dbbf1d82a3868af7c9cd24ba9f057ba18ab1e0adb7135c98baca2e8e28387c6c08e41b4

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6200a658245d0bf4fab336e6018a8fef
SHA1 c4bd77e3561eeda70eb68432fa0b146e8777a648
SHA256 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66
SHA512 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9

memory/2208-61-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 7d95ff2786c422490e91b4d7774ec70d
SHA1 937486fb8c2bfd0a25e814996165f31e065603fd
SHA256 1e62191715b9be43a266e9d08fe24f0c9135b89cc05fc3f07aee139b872939d1
SHA512 ed14d1998dc417d18aab7312925d569ea344fc7f0b91cea6d00435e05f82a672a84dde2e0a138c4a1d8a83e034039774e114bfa875bdbb173593ebb0f7864b72

\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/1620-93-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 66674569903f2a90acfdef331aad67bf
SHA1 a4f2ebb97f7fa9093341fdc129de14fc4c2a893a
SHA256 e7a0b394f6dc3f90f5eeaef5f26d99006d53d4e9bf3b43379ffd5495ed6161da
SHA512 85b86ce3d680862d9cb8fe38973e16006c55222097296831972507182ac0c6b272db6a56f013be844581fef059cbf993cbc152c4cdecf0cc8731bbe9e3e5f1f1

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 69bbbb888e3d4373481b8c515b38d3b0
SHA1 7b6ec3fe00571288966d7075740fb07cd8a57e93
SHA256 4a979cd967dd657fb071322613e0c7fcd4859fedd53de75893ddda1b6e7eed67
SHA512 bfbce2e90fea487c1846c74fb838c639d3f908c0258e16a2eaab2820fd02d60f2e9d0298177ab08cc64cd118f7bef56a3cdd11810ab304d58e916672952d1584

memory/1304-111-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 0fd81243a2e538c22664c1b11221fb4f
SHA1 4cc1da36503eaebad040240836b70f16816a63ab
SHA256 34b349e5c7eddb63bd584e89fa99c09313bda2c0856643513445d150024e1329
SHA512 7baf80085357c29144b85a3ee397b604f47e663eb7200363caae8b245480d7db21fb4b3be696ea88b9d12eaf7847c62532d9377d1f7e2760a0f8b6f42f33c57a

memory/2688-108-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/1304-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2536-106-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2536-101-0x00000000008A0000-0x00000000009A0000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 dd4333b6304f452c29ede8fa0f45e6eb
SHA1 0c9add6eba024b733ee69e8f0370219ec367f119
SHA256 697534086ae314b7dcc74e416b0da6c50954664f5a4e6e0a0ea544bcdeca1a6f
SHA512 f48bb5ae24000b52f789ea17b78bb08211a59c3f3f2692660e22881f7d80dd9116773dd8ed486a75cf5fe30a7f9e5c113ee2e8b72d64b92436bfb01a3de4e49c

memory/1304-113-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-115-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/3068-114-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/2612-116-0x0000000002870000-0x0000000002C68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A19.exe

MD5 23f7cbe7397a241007f4efa7372c8c8a
SHA1 7796cd7d84a9aeb4ed042b68d6fad2bddd19dbf5
SHA256 54847282432bdb5fcf28b4d8cca759b9d78b400b7f1796305373eca96d4d4124
SHA512 95f0771ecb86968c58e8833d7cbe50ca7d97013ac66223fd5f7ba0a3b51e6dad9dc86a044831039aa1afec3d0b0d102f06aa88c6be5dcfac84a9e7128b2d8913

C:\Users\Admin\AppData\Local\Temp\8A19.exe

MD5 ff35db5d1edf2aa99c8e357778ee9161
SHA1 77ebf1a613d558162813185c36bdb41249a61f30
SHA256 15913660b72717a6a6424a2f89b4d04263e4b0f963d68ba42892c56dbb988549
SHA512 e624b382faf0214d2357cb666eb3fdb3ff7140a54964b06a0c9fdc4aa1365ee8ed18d6fa2f8781df320645f638268fa6570b2b41a8389421fe8e79b831ed5de3

memory/3068-122-0x00000000073F0000-0x0000000007430000-memory.dmp

memory/1364-123-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/1364-125-0x0000000000E20000-0x0000000001314000-memory.dmp

memory/2208-126-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2612-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1620-127-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2612-128-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/1328-129-0x0000000003C30000-0x0000000003C46000-memory.dmp

memory/1304-131-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2612-130-0x0000000002C70000-0x000000000355B000-memory.dmp

memory/2612-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1364-136-0x0000000004E50000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9EC2.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2584-143-0x0000000001220000-0x000000000125C000-memory.dmp

memory/2584-142-0x00000000741C0000-0x00000000748AE000-memory.dmp

memory/2584-144-0x00000000006A0000-0x00000000006E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 11:15

Reported

2023-12-12 11:18

Platform

win10v2004-20231127-en

Max time kernel

36s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C15C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F31B.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\C15C.exe
PID 3328 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\C15C.exe
PID 3328 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\Temp\C15C.exe
PID 3328 wrote to memory of 920 N/A N/A C:\Users\Admin\AppData\Local\Temp\F31B.exe
PID 3328 wrote to memory of 920 N/A N/A C:\Users\Admin\AppData\Local\Temp\F31B.exe
PID 3328 wrote to memory of 920 N/A N/A C:\Users\Admin\AppData\Local\Temp\F31B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"

C:\Users\Admin\AppData\Local\Temp\C15C.exe

C:\Users\Admin\AppData\Local\Temp\C15C.exe

C:\Users\Admin\AppData\Local\Temp\F31B.exe

C:\Users\Admin\AppData\Local\Temp\F31B.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp" /SL5="$60208,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3361.exe

C:\Users\Admin\AppData\Local\Temp\3361.exe

C:\Users\Admin\AppData\Local\Temp\36BE.exe

C:\Users\Admin\AppData\Local\Temp\36BE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 226.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 tcp

Files

memory/816-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3328-1-0x0000000002C10000-0x0000000002C26000-memory.dmp

memory/816-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C15C.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\F31B.exe

MD5 182f265abbc7317733d9fb4511a75413
SHA1 125ee52102e53165ad504a617dc6734716277a64
SHA256 31ef26b8caa38f15134995b4a35df616425749c1d1fff3cbad7d8c7898773e8c
SHA512 6de079460cbe416258a6ae9c979aa8358dc6f89b0005ce2ee819ffbd6bf19416d48a615a69ad795229fa065e3453649c74c06205e95426d7024a0a9810ce81df

C:\Users\Admin\AppData\Local\Temp\F31B.exe

MD5 53380a0df6bf654427359ee369de9246
SHA1 869c6464db839f68d3e06d7f224df680806d1148
SHA256 5ccee9f788146cf159dc18c2621431e65ad620282c1d54363b83a01c3e93146d
SHA512 127716c98b8ff1323b69bb573686e27eeda1e6d93fa57c7ec04269ce4bb5ac7c763481b4843004a6884aed2b89966866482c0132358da1eee1e6bd9973c9f4a2

memory/920-16-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/920-17-0x0000000000CD0000-0x0000000002186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6246bba6e701914c6af47e5454ace1fc
SHA1 468ee8bd2779e91e4806c325b1a77538c82d05ab
SHA256 f40e84be9953bf938ea55baca45c1dd17b871f69a73d36d6e5dc9e61de15d6b3
SHA512 a0825fe77c178ab67bfededd09d770a282f8acae1683a3b6df8590dbc4b9e0056db7a6a786321257f1dc24daaff0167f7c680478fabaa94fbc92e8a51459ec18

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6bba7f56e9dab07c3b0c9ca0391dfece
SHA1 53bc13b076534a81ae68dfe56111b6b099274355
SHA256 8f49b7a3769645b800567639741e14c783042530a6201c7529a398dadba62a18
SHA512 7cfa54e06b7fc22c058f7cf49b8010c9e1f11d005647d59437a87eb30eed1db67ffd7ccbc80c9b056994a6065e61779bda8582438809e4b554a98aca1bc8e29f

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4da7cd4ff1ed7974da326f0d2f776c54
SHA1 f2410abc08d59e9200a9a800c43276f6984add0f
SHA256 92e1a010f0d2e4c5f87c4bf44a50c4af2617d5336fde68ad52167a2f01476557
SHA512 6318f995d1698a50ff355b934c4246396c6a124ab65a194cf15819e9b0cbd346594034afd08da24299ad7eeadf52bddb43507fa63965ea4af46b4d31ce9293d6

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 bf61d7271f0a302b63457e4278b966ac
SHA1 a60a0d1235b377664d24b8266d23cd24323df483
SHA256 3300291247d2b2cff4b602a9bc8ac382f824d677513f175190fdb642a462b9b3
SHA512 08ebf2aca164b57937d6974ccab2e7fc62a5175da1fc7b13aa81f8e6e1ddb35754287d86910a566717ad7b4d0dc8f4043ac687ea2490f0710a2c89c8f6acd2f5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f5685f9645f54b5e14e50491c7510400
SHA1 23dbb0d8898238f3b74d3f28255521c1dd8b4696
SHA256 d98debba162e7bdd569422e0e226c882c52da2d21122c16911a04c7519117d12
SHA512 1991c06858dc865f7d14935a7ce16ef6df458b2991fa5abd86bc1deacf72dfd27f893d4618387874ceec61e232ea65744add6e24afb4deec93c2e65bc51dbcbd

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 bade85bda599575ef7a184fadc9ed0d8
SHA1 f09e158b0dd17bdbdb36c809ac66d3df7339a323
SHA256 4d281a56b8beeba6b562c5b6e749bdb3ec453897843461becfff7a968a5c8a50
SHA512 d43963a9c27ed40ee9ec52737d957844012f319be638a376f2c1e60f0ff7b05e931995c8adb090612f950de5832920da2d60ebaec0accb43f9c5a17e8fe3bbe7

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 32b65371fe3391c0626ee3115787473c
SHA1 bab2061d2abe69f1d067b8f3b00e3c086db449bc
SHA256 2fd8fe1f27dba2ad34eb0677c66ea8430f7d8e13d56dcf19af9dd96757c03ccb
SHA512 608798eb7cd9431178778298b196709f2d3c7c9745767de2c720303b814c2549455facadfb61a3aa69a7b7fe6888f3ca2d4fc17eb186a23f416e962bedd7b0a6

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e20f3caf2bb268a96a86bae9511862e6
SHA1 1fa8d89670e61870ea8722995472496262dd51d3
SHA256 7172b3f895d532098d57ffc7f276fcd7acae91919ac5a036def4f54edc0862dc
SHA512 6d7760bd76013b5ba61be73c293eab6f1522a508cdf736e6e1352a61904e976c4fec9eb0d86ec5fe8ec12cd0537425971bb497b89260221cf3083500e0c62fa6

memory/3128-59-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 df5dfc67daa14d0fb30d4b2e4193bd2d
SHA1 8ab837661f393e3949c5dd0647c0dc68767aa4a5
SHA256 171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e
SHA512 09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316

memory/4620-60-0x0000000000E00000-0x0000000000E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 12ee6bd2e15925df101867cc29dddc25
SHA1 14b79a05fa8ae46b4c48968d5a879e046e84f467
SHA256 f73c2d23767500f362c7011fe28c4e4c83f56466e9c53ac872c91b35ed73639b
SHA512 5e68426c238f298d97f706e17d2687d99fa3bd2124698674c028b22dea8a76cbd158b43a67061a670c002b0af7120f673b89c040f3b9409abc693d94fa84b881

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 779985bb5d7eb4ddcc9024be54a82a3b
SHA1 c8632555a702f2957ec7331f45bc28f9835678fa
SHA256 a0662906f536a0238a43e8682c68288e2a74a07ab4019a2adbbc6febcde8a590
SHA512 404dae83810681ce9052ec5c002ecb309a7eb6e3a82bb14bc891e1eebc5e5a46484edceb36ffd511119f02347e6891dad935be4c7b47af1a4512cd0a25571baf

C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp

MD5 a3555f5c4045b50dcbcd509833c7af26
SHA1 1125e3fb466477e5a1c8277afc57907532e6099c
SHA256 5c545cda929a154663c19b6d0c59dbbe187f0a0e880463990bb59c722eff620c
SHA512 2322221dfe0778197e2c45c49ca0d4128966c9c7053048562f86c9e7f107b147b5a0d92430fb718fb07d3770dc0c45b738c1655cc1f85a412e6d68b4654ed435

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a7867bda40f5bc5cda1aa4ae32415a94
SHA1 b96c1e9525615fef0552887f909423ef4afce079
SHA256 af25460cb128d9bbf2f2d60017a86aa28ebad7a7cadcfbe4c7db0d3201b71b0d
SHA512 d2c4bd28772e5f53e3bb1814deb969ad649975768ab2e0f4bf8535e617dcf25227c7dfb83723b4b2fe38c1176ad0e6d9be48795d0cc41045b9742751c1f445e5

C:\Users\Admin\AppData\Local\Temp\is-951T6.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2364-90-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-951T6.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/920-91-0x0000000074AE0000-0x0000000075290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp

MD5 96b475fa9f960b578b723ad447a5dc57
SHA1 f42718147e85e69231844f0694299e811eaed6f4
SHA256 30e0eccbc931d7257013e8aa9755afbae6d7b7de7140ff8fd32bd4b22903c72a
SHA512 f3116ee1c7e5108cf57cfb572201209fc88f1aa74b1b760d4266fecc40ae0b0bc921085cb2c562f9a4d9ea5b4a56baaa19e2d0d08ca8520797bf60297cc838f5

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 32e6b7db84041aa6529e63e9f063b8a6
SHA1 1eeb346d9d7bed83d1af3897b3e2af14295bf069
SHA256 580f7efaaf6ae80342d00d50d4b8b2f17f599e4d25e720c0f98574204e6dc5ad
SHA512 77f57425c724f752fbc4d1d245cf4891e3fa2400a512521140a5b584de5755645b322351eacdf3e2e92747275623fde02583da823ba8152ebf7ca5419f837aca

memory/5136-220-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5136-219-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5136-223-0x0000000000400000-0x0000000000785000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 accae766f9671972fc6fcaf7a7db6917
SHA1 3d652e598368be6609e126cc3c4ec80d36f66f8c
SHA256 aafdd592e7503d969650b8f11bf730ebd4c2ea5b206ac8a944ac7196d5030640
SHA512 215278e24c21fba3d025f1ff3be6491cb4cec515ce85143ab84c25866d5d4b3de0897b2fbf4d04ebfad1feeb6d135e81ebfd59e8be2e1db8028e7604841bc849

memory/5136-224-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 a3d3c58e76c3acb623aa6904e96d153d
SHA1 79072e329de8fcb0c954f5f6abdae1ad6f69f19f
SHA256 4fcb601c52366aadd553c59c2d11090ab463c833e7e1b54cabaf4d47f2cece59
SHA512 9bdcb9012878e5f80d4b46c332957c3e60505a34bcac059c314a32c9960c00f8b388decac8f32f75de776170e9757a4a340b73b49c5897cc71cc45fbb2a2965a

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 3fbc90157548de530f038688fad2caaa
SHA1 2babd084151d5d5a543d2b37612cce5e863f423b
SHA256 0e187baafb9bf09df81c053109298f7943b31f01432e126ec545f8278f021150
SHA512 5525cf5501fd75dc3117beeb05e6671e0b1c0f9b3338fd0ab0fa4c0afe105c8ba2ad503803b517f5546538024a894559ed734f1f032996d9e0532d81c89b9b5e

memory/5224-227-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4664-230-0x0000000002C70000-0x0000000002CAC000-memory.dmp

memory/1588-235-0x0000000002A30000-0x0000000002E38000-memory.dmp

memory/1588-236-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4664-237-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/1588-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4664-239-0x0000000007FB0000-0x0000000008554000-memory.dmp

memory/4664-240-0x0000000007B00000-0x0000000007B92000-memory.dmp

memory/1820-242-0x0000000000860000-0x0000000000869000-memory.dmp

memory/5452-244-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3128-247-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4620-248-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/5452-249-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4664-246-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c82547ec85f6ab90edb1dd4ea608e2be
SHA1 cd4a8694b98a2846924ee96425d1f7bb1f268f5a
SHA256 71c352d0bc697a7cd868f2cc18179a067e833c7ad538ebd4b9d5055eac40d568
SHA512 ed5c45fbab5542e0a84a9a81f40408cfa727aa5afdcf55582900baf283792fa655e7cbdc85764b41b69c480e47566d7e292e66485ccb7825511fa1d5bcde99ab

memory/1820-243-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/4664-241-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

memory/4664-250-0x0000000009040000-0x0000000009658000-memory.dmp

memory/4664-251-0x000000000A9D0000-0x000000000AADA000-memory.dmp

memory/4664-252-0x0000000009010000-0x0000000009022000-memory.dmp

memory/4664-253-0x000000000A900000-0x000000000A93C000-memory.dmp

memory/4664-254-0x000000000A940000-0x000000000A98C000-memory.dmp

memory/5572-255-0x0000000003030000-0x0000000003066000-memory.dmp

memory/1588-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5572-257-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/5572-258-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/5572-261-0x0000000003130000-0x0000000003140000-memory.dmp

memory/5572-260-0x0000000003130000-0x0000000003140000-memory.dmp

memory/4620-259-0x0000000000400000-0x0000000000965000-memory.dmp

memory/5572-268-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt25b4cy.qxd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5572-262-0x0000000005760000-0x0000000005782000-memory.dmp

memory/5572-273-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/5572-274-0x0000000006430000-0x0000000006784000-memory.dmp

memory/5572-275-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/3308-277-0x00007FF75E850000-0x00007FF75EDF1000-memory.dmp

memory/2364-278-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5572-279-0x0000000006B80000-0x0000000006BC4000-memory.dmp

memory/5572-280-0x0000000003130000-0x0000000003140000-memory.dmp

memory/5572-281-0x0000000007950000-0x00000000079C6000-memory.dmp

memory/5572-283-0x00000000079F0000-0x0000000007A0A000-memory.dmp

memory/5572-282-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/5224-284-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5572-288-0x000000006C990000-0x000000006CCE4000-memory.dmp

memory/5452-300-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5572-302-0x0000000007BF0000-0x0000000007C93000-memory.dmp

memory/5572-299-0x0000000007B90000-0x0000000007BAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3361.exe

MD5 e5d914eb885374e422d3c7a0544040a4
SHA1 185bb8714515d06dd4b106782fd86a486652b0b8
SHA256 b59ddc0eb1e040eb6be1011bdd40e56c92cf718ebb54584c3ea066ec9181d1de
SHA512 a5a6e664ad479dc599be21568257a4d08c4061d8bba8cd0927e2e08834bd3979aa82949a3ca7cecc8109130396f3cf449164f67dfe6fb936bf3e3a875389592a

C:\Users\Admin\AppData\Local\Temp\3361.exe

MD5 9243f0b25a2d945c4f28f40a1463f6c3
SHA1 5111d5252b9ef7de293d3eebe73fc64ae72e5ab2
SHA256 eaf8944714ba86140c58e06327b1267f4e478d4941e96c025e8ae579394bcad0
SHA512 74265f937aa176e8147350afbff494e2582aefff897695204ad4750a03d91b69f89dd597aed876d10f957d483e690434b661d44d689e76164a612bab24436f9a

memory/5224-310-0x0000000000400000-0x0000000000785000-memory.dmp

memory/6020-311-0x00000000005E0000-0x0000000000AD4000-memory.dmp

memory/1588-312-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/5572-306-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

memory/6020-313-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/3328-298-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

memory/5572-316-0x0000000007DF0000-0x0000000007E86000-memory.dmp

memory/1588-317-0x0000000002A30000-0x0000000002E38000-memory.dmp

memory/6020-315-0x0000000005640000-0x00000000056DC000-memory.dmp

memory/4664-318-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/6020-319-0x0000000005630000-0x0000000005640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36BE.exe

MD5 26fd5503310b8cf6fb27442b3874d669
SHA1 13735ed17a04beb6977eba7fdfa7bd8811948efd
SHA256 92ba6d031f40688e89e00a7f5af6fcb5dd47fc8981e76b6692089e90429ed9f1
SHA512 9363b098777210fb7f3817c340f4e2087a70eee99fd0aaf00c93e6dfb3be27c7e6b93b07db1b24edca7d55ed18f3557b6e232e7b4979e9ba27b70ee999e19703

C:\Users\Admin\AppData\Local\Temp\36BE.exe

MD5 63353d70a6e90b54fac07e0187bbf0ba
SHA1 6149408d97958692b1dc9308a97e1eb4601b8a89
SHA256 86a107ab19bda413112664d0e8df906836d882039fdb2b35391af217788cc77a
SHA512 f16f328e14fbd2ba8841ca723ca145a70061dfb117306160780c3f11d6df423e611042742bbf9e3f96f8d39611271c5dd5b4b1e3d9ed2d8da41a93af841771ab

memory/5572-287-0x00000000722F0000-0x000000007233C000-memory.dmp

memory/5572-286-0x000000007F620000-0x000000007F630000-memory.dmp

memory/5572-285-0x0000000007BB0000-0x0000000007BE2000-memory.dmp