Malware Analysis Report

2024-11-13 14:08

Sample ID 240226-31jwmaca6w
Target 636c32103ef487d1c30df530296f014b.exe
SHA256 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
Tags
smokeloader backdoor bootkit persistence trojan upx lumma discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd

Threat Level: Known bad

The file 636c32103ef487d1c30df530296f014b.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor bootkit persistence trojan upx lumma discovery stealer

SmokeLoader

Lumma Stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 23:58

Reported

2024-02-27 00:01

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\5380.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2824 set thread context of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\8150.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwrcgsb N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwrcgsb N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwrcgsb N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fwrcgsb N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fwrcgsb
PID 1900 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fwrcgsb
PID 1900 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fwrcgsb
PID 1900 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\fwrcgsb
PID 1188 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\Temp\8150.exe
PID 1188 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\Temp\8150.exe
PID 1188 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\Temp\8150.exe
PID 1188 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\Temp\8150.exe
PID 1964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\8150.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\8150.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\8150.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\8150.exe C:\Windows\SysWOW64\WerFault.exe
PID 1188 wrote to memory of 576 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 576 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 576 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 576 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 576 N/A N/A C:\Windows\system32\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 2716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1188 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 1188 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 1188 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 1188 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 2824 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4397.exe C:\Users\Admin\AppData\Local\Temp\4397.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5380.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5380.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5380.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5380.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1188 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
PID 1128 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7B0D.exe C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe

"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {79E392AD-AE70-4C10-AEBF-79861FECD7F1} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\fwrcgsb

C:\Users\Admin\AppData\Roaming\fwrcgsb

C:\Users\Admin\AppData\Local\Temp\8150.exe

C:\Users\Admin\AppData\Local\Temp\8150.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F825.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F825.dll

C:\Users\Admin\AppData\Local\Temp\4397.exe

C:\Users\Admin\AppData\Local\Temp\4397.exe

C:\Users\Admin\AppData\Local\Temp\4397.exe

C:\Users\Admin\AppData\Local\Temp\4397.exe

C:\Users\Admin\AppData\Local\Temp\5380.exe

C:\Users\Admin\AppData\Local\Temp\5380.exe

C:\Users\Admin\AppData\Local\Temp\7B0D.exe

C:\Users\Admin\AppData\Local\Temp\7B0D.exe

C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp

"C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp" /SL5="$301C0,2424585,54272,C:\Users\Admin\AppData\Local\Temp\7B0D.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp

Files

memory/1224-1-0x0000000002490000-0x0000000002590000-memory.dmp

memory/1224-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1224-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1188-4-0x0000000001DB0000-0x0000000001DC6000-memory.dmp

memory/1224-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\fwrcgsb

MD5 636c32103ef487d1c30df530296f014b
SHA1 f280007f3c78b0823d8978bec1c1cdf792bf5fc6
SHA256 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
SHA512 2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604

memory/2596-14-0x0000000002460000-0x0000000002560000-memory.dmp

memory/2596-15-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1188-16-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/2596-17-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8150.exe

MD5 77d6b6264a2bbc1764c3c6bb45cc4c82
SHA1 d4861fb655582a9bd96e9c83a6ce4b5c14bb290c
SHA256 e297384a9e41adeb15aa416eded4aa2401318895aa23f33b1ec42000b119c503
SHA512 ef414be344417cd7a4853b599cdbc6172b9b59b5dbbfe4da1b04640a39df76c3c9bfdcfa4e9cc7c366761b5c4acea7d083089009a7026d23a34754251e2823e0

C:\Users\Admin\AppData\Local\Temp\8150.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/1964-27-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1964-25-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1964-29-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1964-33-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

memory/1964-31-0x0000000000230000-0x0000000000ADF000-memory.dmp

memory/1964-34-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1964-39-0x0000000000230000-0x0000000000ADF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F825.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2716-44-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2716-43-0x0000000000100000-0x0000000000106000-memory.dmp

memory/2716-47-0x00000000021F0000-0x0000000002319000-memory.dmp

memory/2716-48-0x0000000002320000-0x000000000242E000-memory.dmp

memory/2824-55-0x0000000003530000-0x00000000036E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4397.exe

MD5 668e25ec4a41c6a6fc11252eaf870560
SHA1 0bcbb44fd3e47037fc012f336d46736cd76e2557
SHA256 5b5254a1a358a59669ff5e5a9dc662887ff8ef078bc2790378670e1708a72317
SHA512 c60282db85e592ce5a40c67ed1a3cf6cbe64454639b76ce976d6c9f7467565357a5a8018446da7b1635a2d5fa069b017beac8be015fd0c10979ac66173cb87f6

C:\Users\Admin\AppData\Local\Temp\4397.exe

MD5 1df9c98963f3d20b3f3f5db8152e3052
SHA1 c8203e4dee088a27c97cb3e334c1dd9aafdd0786
SHA256 cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f
SHA512 bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60

memory/2716-56-0x0000000002320000-0x000000000242E000-memory.dmp

memory/2716-61-0x0000000002320000-0x000000000242E000-memory.dmp

memory/2824-60-0x0000000003530000-0x00000000036E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4397.exe

MD5 057d4899785c88a4b96a30efac0a7f10
SHA1 2304be75b31060360a246617e18a147febbcd080
SHA256 66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4
SHA512 240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574

\Users\Admin\AppData\Local\Temp\4397.exe

MD5 4b786fa564f50a06a6e84d8fc46f9cb7
SHA1 d675403cf65f70494413e2e08c128adca2d8e8cf
SHA256 46ded921f0e11a4834ea7e6e66867e3a1a56d3a480bb9cf1aa3244871dd81c5c
SHA512 58a1532f8f28a4e36bad9d2d9324ac825f18e20629173fc3febeae70384279ee4337a0633d7583d2cecdd0ea972315d2bb3cb537666b510f587c1217dc5ad4ae

memory/2824-63-0x00000000036F0000-0x00000000038A7000-memory.dmp

memory/1388-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1388-65-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2824-68-0x0000000003530000-0x00000000036E8000-memory.dmp

memory/1388-67-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2716-69-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1388-71-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4397.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2716-72-0x0000000002320000-0x000000000242E000-memory.dmp

memory/1388-73-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1388-74-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1388-77-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1388-75-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5380.exe

MD5 ed9730742925437660eea83dd42d4044
SHA1 f53fecf5b09f2b7b145dfb1cad4afc28b6994d8c
SHA256 62f6c635aba6b56d89e711030bd6f50b763ffd8396f5ddac0d9fdcf354afcb82
SHA512 dac98e135e64c15161e8836e5ab775604373ea72954b74a975d4f4c750a41a3a039d4ef1ecc6451a8f97c3a2e2d114105e2fefd59b49f64d021b730de79d1901

memory/2220-87-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/2220-89-0x0000000000300000-0x000000000036B000-memory.dmp

memory/2220-90-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1388-93-0x00000000029A0000-0x0000000002AC9000-memory.dmp

memory/1128-98-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B0D.exe

MD5 b30b3e3495c0b2a9895357d9b068d4b8
SHA1 15ab836b28afe996124efe386a0d56ad2aa479e6
SHA256 3e5706a4dc08b66f67e452129e6f67d9d004a75b0f3ba2ccd2552a0bb657c07b
SHA512 83e87fa3ecc9ece2701ffe45b8b7a677aa5e56ff7ee053f7697bbaec247748b3ed7540f046b5574414c951716f9e0a1ec5f6452978e28c3337f36efbe4429b57

C:\Users\Admin\AppData\Local\Temp\7B0D.exe

MD5 7b96170ca36e7650b9d3a075126b8622
SHA1 311068f2f6282577513123b9181283ffb01d55ce
SHA256 e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512 e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

memory/1388-104-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

memory/1128-121-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FE3A0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-FE3A0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2220-99-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1388-109-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

memory/1388-122-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

memory/1496-123-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 23:58

Reported

2024-02-27 00:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"

Signatures

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\28ED.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\6589.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5108 set thread context of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cusribh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cusribh N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cusribh N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cusribh N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4A7.exe
PID 3232 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4A7.exe
PID 3232 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4A7.exe
PID 3232 wrote to memory of 3516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3232 wrote to memory of 3516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3516 wrote to memory of 3688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3516 wrote to memory of 3688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3516 wrote to memory of 3688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3232 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 3232 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 3232 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 5108 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\28ED.exe C:\Users\Admin\AppData\Local\Temp\28ED.exe
PID 3232 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6589.exe
PID 3232 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6589.exe
PID 3232 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6589.exe
PID 3232 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\992D.exe
PID 3232 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\992D.exe
PID 3232 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\992D.exe
PID 3920 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\992D.exe C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp
PID 3920 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\992D.exe C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp
PID 3920 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\992D.exe C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp
PID 4124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 4124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 4124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 4124 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 4124 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 4124 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe

"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"

C:\Users\Admin\AppData\Roaming\cusribh

C:\Users\Admin\AppData\Roaming\cusribh

C:\Users\Admin\AppData\Local\Temp\A4A7.exe

C:\Users\Admin\AppData\Local\Temp\A4A7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D667.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D667.dll

C:\Users\Admin\AppData\Local\Temp\28ED.exe

C:\Users\Admin\AppData\Local\Temp\28ED.exe

C:\Users\Admin\AppData\Local\Temp\28ED.exe

C:\Users\Admin\AppData\Local\Temp\28ED.exe

C:\Users\Admin\AppData\Local\Temp\6589.exe

C:\Users\Admin\AppData\Local\Temp\6589.exe

C:\Users\Admin\AppData\Local\Temp\992D.exe

C:\Users\Admin\AppData\Local\Temp\992D.exe

C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp" /SL5="$B0218,2424585,54272,C:\Users\Admin\AppData\Local\Temp\992D.exe"

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
N/A 127.0.0.1:62812 tcp
PL 145.239.84.172:80 tcp
DE 217.182.198.95:443 tcp
US 8.8.8.8:53 172.84.239.145.in-addr.arpa udp
CH 46.19.141.85:8100 tcp
DE 185.220.100.251:9000 tcp
US 8.8.8.8:53 251.100.220.185.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1692-1-0x0000000002360000-0x0000000002460000-memory.dmp

memory/1692-2-0x0000000004020000-0x000000000402B000-memory.dmp

memory/1692-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3232-4-0x0000000002540000-0x0000000002556000-memory.dmp

memory/1692-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cusribh

MD5 636c32103ef487d1c30df530296f014b
SHA1 f280007f3c78b0823d8978bec1c1cdf792bf5fc6
SHA256 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
SHA512 2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604

memory/1164-15-0x0000000002310000-0x0000000002410000-memory.dmp

memory/1164-16-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4A7.exe

MD5 33310448df23034a9132bb8d15c52743
SHA1 4864ae2d2fbce448b192f71df7c27e9857eab2be
SHA256 c92f6252d6f75b2369432f2d9aea26bf0f11f2c6f7e1642530dea21e9d502bf9
SHA512 6cd8db44bf20303bdf4f4f47849eda852639c2984930f3b5a595715ce0b9f4ae492e4957c08bda5922d42871dc237cc2476f7e33757a0d5d65ea21ea5234d38d

C:\Users\Admin\AppData\Local\Temp\A4A7.exe

MD5 77d6b6264a2bbc1764c3c6bb45cc4c82
SHA1 d4861fb655582a9bd96e9c83a6ce4b5c14bb290c
SHA256 e297384a9e41adeb15aa416eded4aa2401318895aa23f33b1ec42000b119c503
SHA512 ef414be344417cd7a4853b599cdbc6172b9b59b5dbbfe4da1b04640a39df76c3c9bfdcfa4e9cc7c366761b5c4acea7d083089009a7026d23a34754251e2823e0

memory/3232-21-0x00000000023D0000-0x00000000023E6000-memory.dmp

memory/400-25-0x0000000001670000-0x0000000001671000-memory.dmp

memory/400-27-0x0000000000860000-0x000000000110F000-memory.dmp

memory/1164-24-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/400-29-0x0000000001680000-0x0000000001681000-memory.dmp

memory/400-30-0x0000000001680000-0x0000000001681000-memory.dmp

memory/400-31-0x0000000001680000-0x0000000001681000-memory.dmp

memory/400-32-0x0000000000860000-0x000000000110F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D667.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/3688-36-0x0000000001000000-0x0000000001006000-memory.dmp

memory/3688-37-0x0000000010000000-0x000000001020A000-memory.dmp

memory/3688-41-0x0000000002D50000-0x0000000002E79000-memory.dmp

memory/3688-42-0x0000000002E80000-0x0000000002F8E000-memory.dmp

memory/3688-43-0x0000000002E80000-0x0000000002F8E000-memory.dmp

memory/3688-45-0x0000000002E80000-0x0000000002F8E000-memory.dmp

memory/3688-46-0x0000000002E80000-0x0000000002F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28ED.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/5108-52-0x0000000003950000-0x0000000003B0E000-memory.dmp

memory/5108-53-0x0000000003B10000-0x0000000003CC7000-memory.dmp

memory/1956-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-56-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-57-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-58-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-59-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-60-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D667.dll

MD5 b281b2ff6c24a4d052ebb8c8bbb22ea6
SHA1 2860c3d79cd4f4d47152308efbee9ade924b699f
SHA256 e8a9c3be47df78b631e677041eecad534f8e0a61360d45edcbd9df811aaea92d
SHA512 ea4d3c3f4df8cf29e0c0fa483d5b998f11aae2204cb40db73f8afd523bf360ed1c5aed12dbf23f954d950f04372f6244e237512d194d384a20180a7a8e3cfcf4

memory/1956-62-0x0000000000D60000-0x0000000000D66000-memory.dmp

memory/1956-65-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6589.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/4328-72-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/4328-73-0x00000000049C0000-0x0000000004A2B000-memory.dmp

memory/4328-75-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1956-76-0x0000000002D40000-0x0000000002E69000-memory.dmp

memory/1956-78-0x0000000002E70000-0x0000000002F7E000-memory.dmp

memory/1956-80-0x0000000002E70000-0x0000000002F7E000-memory.dmp

memory/1956-81-0x0000000002E70000-0x0000000002F7E000-memory.dmp

memory/1956-84-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1956-87-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4328-88-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\992D.exe

MD5 7b96170ca36e7650b9d3a075126b8622
SHA1 311068f2f6282577513123b9181283ffb01d55ce
SHA256 e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512 e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

memory/3920-93-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

memory/1956-100-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FP09J.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4124-109-0x0000000002100000-0x0000000002101000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 98590314e78d26036e8341291de3fbfa
SHA1 2427e2f5da4d0f619336425f13aafc35f420164c
SHA256 a149f27599f37290d503d9b27e77deb968fafaa6f29e6e1db0440cbd34482a79
SHA512 51c2351befd13a7ff2dc23a54ffb6732de8bed3c7800871bf09ec0949ac8b963ae5e9fc9e65c750074afabd040d9c373a5c0d5c4749a9ca94e5680a1f385c680

memory/2752-139-0x0000000000400000-0x0000000000720000-memory.dmp

memory/2752-140-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 5d62d9346de4243e2a1520805b8bdb98
SHA1 a1d0a5733124b32ea742d11cf5f8a456962aa529
SHA256 30bca3149a8b92bfb3d23aa3afd7420fbd5e77fdd7fd444a7c84c7c6aec0898e
SHA512 23b6952afa9bc66299192f1ac8a70fa07d84b1d2cee8d0673cd19692fd747074e7937c1d32334f190ee3bbf5971b5d2b406ab96a1c05e1b13ad5b55d47e2a2bf

memory/2752-143-0x0000000000400000-0x0000000000720000-memory.dmp

memory/2752-144-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4328-146-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/3220-148-0x0000000000400000-0x0000000000720000-memory.dmp