Malware Analysis Report

2025-03-15 05:20

Sample ID 231212-nnbbdsdga4
Target 0x0005000000018727-137.dat
SHA256 11dcd6493bebe6e9a273ee7d539eab6ef711189aafb5624e0ed0cf5fe4b49c92
Tags
smokeloader backdoor trojan glupteba redline @oleh_ps livetraffic up3 dropper infostealer loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11dcd6493bebe6e9a273ee7d539eab6ef711189aafb5624e0ed0cf5fe4b49c92

Threat Level: Known bad

The file 0x0005000000018727-137.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan glupteba redline @oleh_ps livetraffic up3 dropper infostealer loader

Glupteba

SmokeLoader

RedLine payload

RedLine

Smokeloader family

Glupteba payload

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Unsigned PE

Checks SCSI registry key(s)

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 11:32

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 11:32

Reported

2023-12-12 11:34

Platform

win7-20231130-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe

"C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe"

Network

Country Destination Domain Proto
RU 81.19.131.34:80 tcp
RU 81.19.131.34:80 tcp

Files

memory/2308-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2308-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1412-1-0x0000000002A50000-0x0000000002A66000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 11:32

Reported

2023-12-12 11:34

Platform

win10v2004-20231127-en

Max time kernel

35s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2FF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE9.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2FF.exe
PID 3148 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2FF.exe
PID 3148 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2FF.exe
PID 3148 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE9.exe
PID 3148 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE9.exe
PID 3148 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe

"C:\Users\Admin\AppData\Local\Temp\0x0005000000018727-137.exe"

C:\Users\Admin\AppData\Local\Temp\D2FF.exe

C:\Users\Admin\AppData\Local\Temp\D2FF.exe

C:\Users\Admin\AppData\Local\Temp\FDE9.exe

C:\Users\Admin\AppData\Local\Temp\FDE9.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-BCIF0.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BCIF0.tmp\tuc3.tmp" /SL5="$401C8,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3B8F.exe

C:\Users\Admin\AppData\Local\Temp\3B8F.exe

C:\Users\Admin\AppData\Local\Temp\40EF.exe

C:\Users\Admin\AppData\Local\Temp\40EF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/1784-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3148-1-0x0000000002C40000-0x0000000002C56000-memory.dmp

memory/1784-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2FF.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\FDE9.exe

MD5 cff64ef83e84074114d6079370bd3d85
SHA1 cb77bd5d33152c85b7637de7194d69cf9df4aa53
SHA256 80065f7549a62674c9f4470adb115a10aaaee69f88fe26269ebf753c3aa9afe3
SHA512 7e6e205cb9605bbaef24db4a8ea8dd001dc9b88a1b6af9e89e14ccb7b895a4ced81855d6e667d258bc1b9c4ef714508dfdea043fdef804b9f4984e8a1671cfce

C:\Users\Admin\AppData\Local\Temp\FDE9.exe

MD5 5fbd560d628787ea9b6a26ee3b79a27d
SHA1 363feeac09d88e1d56d4aec08f559aed4abcba69
SHA256 58ff75e290c5a2608f58a04aabef4a6e46d8ec4dab02044279f65a36b69bfce5
SHA512 a5a8952209c08e7665870f182521dc83a8cebdff78796d66532f4aa55b0d9f0deec1a854fc1286083206747645ff6653de11ca692c07d4e339c5187b1030512a

memory/4324-16-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4324-17-0x0000000000E70000-0x0000000002326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f423b4b58315402e3d6c63001cbafa24
SHA1 5ce6deb169f442ad7fd3b21d70cc39848413f6bb
SHA256 abd9546db4da77bc0aa7451390ed09067eaf695ac924e5aeffde310d78df0322
SHA512 5653fd22edc10aa9c7efc3cd4e5902337d2926f20b0940b4bd92fe518fb231620d2873a5de4e54c877ea0f4076fd7943ef86166bc555a3fd4505de799045e848

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d09848724fa993ecda379a7053bdfdde
SHA1 6529f3bb49a00321b3fb93f8eed10e3d056ff25a
SHA256 27d1ce72050f4fb53048bce576c975e9d9cefe8a39cd9759be634320d93190f3
SHA512 c4f903e5ae444670dc724d5511ff786c737888ca8ff2d55bcbe683deeb18760cb7617759084b40d7e1c4011a9aed075d65b2270df4f84ab1a8d8356e2c9a440d

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 23a05721e13cfc2d7093bd7018eb1870
SHA1 051798b142c89650be1de5ad99909e2f05469d9a
SHA256 2ee5e11ab563d8d5229cd83583e7c9cfe43607cf2572602b434ca3eddf314396
SHA512 79cef872dfe476e25e7a24a3ec4d0d3b6763ca7310951c58f52fafd228a3f28f55ccd6cc4993e723df53085921fea0d8f7c5d195249c5537e843f8d279c781b2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 4dc703a1292f7ae81a10105c0ce28a43
SHA1 ae0ee928db8037ca0a34031b556d2ea62fc4d96e
SHA256 c13a9f933aba7ada1740067f68a93613c0e4ec3266d9bfe5c0ab8bd278fc4312
SHA512 e3c3d804127edb4819362b26724c3d3e9712355175ace7a1a00add09def1bdf759332b0f4fade43491a26a530a0ccd6bb0be1a344d77b7b358b4dfb71ba5c8de

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 24afaceaf948e05dd394118e665208c0
SHA1 6124dcdc9be01f2d96b62d782b371e8084299313
SHA256 9b119930078b4a8e743b4ebb2f671174d34f990f1f1507150dc866258d0f2aca
SHA512 c3c384e3a0422f4c9f60dc43b79b4d9f1da3483c96744bb0573853c73bb2c404770fb468a32696936ab983fd3272db5c29b02db460d3fe0335fe9a0f6e9f9240

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c2f66d15f2d6c660047154704e7d186c
SHA1 36f72e94b82ed17f36d0ca722ada953b0ebc5bf4
SHA256 8cf00f2d21fe713193ada5cb47b37be9d872fbff4d025ed14567785c09411f1c
SHA512 3126404938b881d2d5520a1f5e2a5274d4bad56556087f7702a620256930736e10db1ac324e2c46991a7322a99270eef47087dc7d8c405691a683db012cf4f4e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ed88de7bde0aa9e5c6373bf712a912e7
SHA1 771c3cfe93ee2cb077d56189abab1543c4b19a0d
SHA256 6b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885
SHA512 06fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633

memory/4468-51-0x0000000000A80000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7b80714b983fcb5e0609d602d79a6103
SHA1 9708ef6dbc0a5f80d772e0aafd0fc7d1a75d3abf
SHA256 6dba9f1361c70e6976540cc437cff09fafc9e67e66c28062a10f370719bb76a4
SHA512 da5b01d072c3a6dc1df08290c29e571f5ddc256880b9c3125b623341559193b70cc3f5409235f127db98425d38d9ed900c5af068f4c06333276b037bb7d2ff44

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0751c4c8ac323a15ba921d226879ee57
SHA1 6a36303775aca512f0049f5289416e2733baeed0
SHA256 e6ade4a63eb003d2a2b7e3b9832cda0562799b6f5768676a81a495537c59466d
SHA512 aa17a4adc99f5cf41f59cc356967c3c58da303dc9b7ce7434b34c39dcc5e794303e94688cf46f0d838c1031e4862b0b847fd34e2087d7393b59abd215d13cc6e

memory/4376-60-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a878fd59450cb9ce6035866d1ead5046
SHA1 a27f49fe6077d9df7fc5876ee8e7411778b352b0
SHA256 adb7a719392c662a71ebc34d010e81dce9098b20982296800e91d1b586e71ef4
SHA512 bf6d19547349c02717856693c51eba0598d226abc925a1fc1c62b3b69d782dd3e18d30813f73a74c6b40ea4370e8c23757e830132e66f8689df479e60cce6d24

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\is-BCIF0.tmp\tuc3.tmp

MD5 62d6a24c2484767393739a646cbf1107
SHA1 d81888d9a7a01df0cf1b18ece9df67ea5385a719
SHA256 35ecdfa24c07e274c4e73b4312d985e41c3a5c2050d45379c0d2df0c00747b31
SHA512 8415a24bc46d0cb9c2baf4728fbd77e2a99acb0978dc91a72558db999238c1a77b0fd752c25e84ef1ddf183169e1487988fe23885d7147a66c8507a8459fb942

memory/4324-75-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BCIF0.tmp\tuc3.tmp

MD5 8924b8801ce624b77b6b1ba0ce1ac512
SHA1 b61a9aea9e4e5e069b7ea613a114db00a2e109d6
SHA256 827f44183f874928084c401602bb65820533204be9df7608d96f6801ea727d20
SHA512 4c11a6a455a7b05e0ba8b3a232945ee33dd7cab8b90ae608d430f1f80264afd845fd1ebd0900cf8469a05f826bb6893e67ed105a21ed979e7741263eebdc8c41

memory/4508-91-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MLOA1.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-MLOA1.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 02a6a571841456559de477865ac7def2
SHA1 9d386fdfea8054cd62238367803f5b1ce00141ed
SHA256 90c45dbad03536600b9edf39a702f6d35464ea73c72cce7ddf3bb0a5258a5e92
SHA512 abeda66501596bd26d73d46b08c0b4cde2899819d8f2a9825c4811fa051ec44ba6a280dd909da40344d7370051400d7f9d3ab21d7416cd8fa0e3815e610013ae

memory/4872-219-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4872-223-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 5da1346809bc21b6fd44af96bc21dab3
SHA1 f30fb94538c5818f6ba01507b8de64de144a81e4
SHA256 59e2e7ff78a10b7f4f84bfd5dd3abbfac2c0ceb95253a8fe80845b5e27e4d506
SHA512 cccf5ee5678bf3cdd2a872a3c1b06cbd0b7b57029a5cdb382a0896034cff42f414de05f13c030a3f72235fb788b3ddcc0ea92d71c9d8f316517771551c3c260d

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 1d99bc2ad7d2973a672d425eb2ab7fea
SHA1 96a77416861b699c631f4040d91c2bbc736e99c5
SHA256 cc3891810fd95fa59def38e550ca9a65663c3075a7a482b5e251cc1387275435
SHA512 e71f61c3828cf1cfb9651cef12e0c1304d132233f804f84068ffb213382006cd65944c47baaada7060c45b964ee9bf83ba4b583ea196bae3404b8fded4ec3f09

memory/3804-226-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3804-228-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4872-220-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2480-231-0x00000000027A0000-0x00000000027DC000-memory.dmp

memory/2912-236-0x0000000002A50000-0x0000000002E4D000-memory.dmp

memory/2912-237-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/2912-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-239-0x0000000007C30000-0x00000000081D4000-memory.dmp

memory/2480-241-0x0000000007680000-0x0000000007712000-memory.dmp

memory/2480-240-0x0000000074100000-0x00000000748B0000-memory.dmp

memory/4468-243-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2480-244-0x0000000007910000-0x0000000007920000-memory.dmp

memory/2480-242-0x0000000007830000-0x000000000783A000-memory.dmp

memory/2480-245-0x0000000008B80000-0x0000000009198000-memory.dmp

memory/4376-246-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3772-247-0x0000000000800000-0x0000000000900000-memory.dmp

memory/2480-253-0x000000000A400000-0x000000000A412000-memory.dmp

memory/4508-252-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2124-254-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2480-255-0x000000000A460000-0x000000000A49C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 7ecc1520479c7ed04b9432e4a71e12de
SHA1 612ff7f17d941c4061b1b4014262d48214c70b89
SHA256 e4556ccf64dd770fe581808119f10bfe1acaf369eb624a7af0c83f69de6798f2
SHA512 1069419c11ce16b90fdbfe35a6375522edf9f9cad867b3033bd77d37ef3a6d6c70573ef4fe5a98875ad03e47a5005d1c3be9681a67480ccce7adb24607a9ef2e

memory/3772-250-0x0000000000960000-0x0000000000969000-memory.dmp

memory/2124-249-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2480-248-0x000000000A510000-0x000000000A61A000-memory.dmp

memory/2480-256-0x000000000A4A0000-0x000000000A4EC000-memory.dmp

memory/3948-257-0x0000000002590000-0x00000000025C6000-memory.dmp

memory/4468-258-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2912-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3948-260-0x0000000074100000-0x00000000748B0000-memory.dmp

memory/3948-261-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3804-262-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3948-263-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3948-264-0x0000000004CA0000-0x00000000052C8000-memory.dmp

memory/3948-265-0x0000000004A80000-0x0000000004AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbvzj2ah.d3d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3948-266-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/3948-276-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/3948-277-0x00000000056D0000-0x0000000005A24000-memory.dmp

memory/3948-278-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/3948-279-0x0000000006080000-0x00000000060C4000-memory.dmp

memory/4344-281-0x00007FF7C6710000-0x00007FF7C6CB1000-memory.dmp

memory/4508-282-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2912-283-0x0000000002A50000-0x0000000002E4D000-memory.dmp

memory/3948-285-0x0000000006EE0000-0x0000000006F56000-memory.dmp

memory/3948-284-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3948-286-0x00000000075E0000-0x0000000007C5A000-memory.dmp

memory/3948-287-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B8F.exe

MD5 0a81df1cd9c7f7049b3a69c701e600d8
SHA1 06a6678654e587364c89d0736c4616e9bd30897a
SHA256 21349cb38a2a08083974d312bc3f1818b5f1cf59a90b96fbebc2e6b74800c877
SHA512 ee04cd209398f065b13a76f3f9415b84f8f159ef28d882071b749811b1d8f2db9f0fb39be07cb9ab8fc08f5541aa85fcbee711c5c5db9c08c6c69fc218a029dd

C:\Users\Admin\AppData\Local\Temp\3B8F.exe

MD5 25e0347d1b083ec1775dee35cb961d46
SHA1 55bf5645c2b634a163b43e447107df23cd6b9df9
SHA256 ee8390a29f49e5954ef8cb58e279aa60ee0d3ff3094715a295d2def7f3e2012e
SHA512 d498f250fefaf0ac94b9875acea93ef1ee43994ad0d30979e79c6cebf30c5d5d115e84ca90a99917d404626d0b601c7a732a7f00ecb8f0342e67a04bb2c0aaaf

memory/3804-292-0x0000000000400000-0x0000000000785000-memory.dmp

memory/832-293-0x0000000000EA0000-0x0000000001394000-memory.dmp

memory/832-299-0x0000000005E60000-0x0000000005EFC000-memory.dmp

memory/2124-296-0x0000000000400000-0x0000000000409000-memory.dmp

memory/832-301-0x0000000074100000-0x00000000748B0000-memory.dmp

memory/2912-295-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/3948-303-0x00000000711F0000-0x000000007123C000-memory.dmp

memory/3948-302-0x0000000007100000-0x0000000007132000-memory.dmp

memory/3948-304-0x000000006C430000-0x000000006C784000-memory.dmp

memory/3148-294-0x00000000027E0000-0x00000000027F6000-memory.dmp

memory/2912-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3948-316-0x000000007F710000-0x000000007F720000-memory.dmp

memory/3948-317-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/3948-318-0x0000000007230000-0x000000000723A000-memory.dmp

memory/3948-315-0x00000000070E0000-0x00000000070FE000-memory.dmp

memory/2480-319-0x0000000074100000-0x00000000748B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40EF.exe

MD5 035b50b09a7610e042cd03dff74d9e50
SHA1 b4ed38feb9e08b89463ac7f04de6bfbfacf9448c
SHA256 e42ae1aaf458cc38dcc64599c09c5a5fb699c74105a4d193e5873d74f3efdf2b
SHA512 5f24736b02436bfb3cea6cfab40cdf7ee6ee7554d3a4a89eb12a8f5c82a2ae9681dc0542bbc827ef3e2b6c97780da995705bd75daedfae6734b8fa1258c5c479

C:\Users\Admin\AppData\Local\Temp\40EF.exe

MD5 c2c53c82172054a76f715393d63d6cfc
SHA1 5cc6f2ec9422720aaeb51caef4011b151c32faa5
SHA256 7ea5a2551f71f18d9d8742f3630f7ee571cdcfb9f512e39a1cae8d93d302a5cf
SHA512 a59b4bf208856f256dfec094361a2efad5281b9d78d09093527fe88d7f86ec36406d3318b75daae485b908f5d537f0e4c3152e201519b2a247a3a2019824dee8

memory/2480-324-0x0000000007910000-0x0000000007920000-memory.dmp

memory/1716-326-0x0000000000CA0000-0x0000000000CDC000-memory.dmp

memory/3948-325-0x0000000007340000-0x00000000073D6000-memory.dmp