Analysis Overview
SHA256
9f706ef0f596b25a281b45ce2e0ebb4fa0fb32b53d3e6e386fc5bdda68f46930
Threat Level: Known bad
The file ZenSoft.rar was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Lumma Stealer
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
GoLang User-Agent
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-29 16:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-29 16:43
Reported
2023-07-29 16:47
Platform
win7-20230712-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.3:443 | github.com | tcp |
Files
memory/2596-54-0x00000000778A0000-0x00000000778A2000-memory.dmp
memory/2596-56-0x00000000778A0000-0x00000000778A2000-memory.dmp
memory/2596-59-0x00000000776F0000-0x0000000077899000-memory.dmp
memory/2596-58-0x00000000778A0000-0x00000000778A2000-memory.dmp
memory/2596-60-0x000000013F090000-0x000000014240C000-memory.dmp
memory/2596-64-0x00000000776F0000-0x0000000077899000-memory.dmp
memory/2596-65-0x00000000776F0000-0x0000000077899000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-29 16:43
Reported
2023-07-29 16:47
Platform
win10v2004-20230703-en
Max time kernel
70s
Max time network
161s
Command Line
Signatures
Laplas Clipper
Lumma Stealer
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4828 set thread context of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAyADUA
C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe
"C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe"
C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
"C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p151971033210090161381766327410 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "4.exe"
C:\Users\Admin\AppData\Local\Temp\main\4.exe
"4.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGkARQBvAGUAMQAyADEAdABkAEMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAEcASgBBAGIAUgBBADEAdABUACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEQAQwBMAGIAWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGkARABpAGkAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGkARQBvAGUAMQAyADEAdABkAEMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAEcASgBBAGIAUgBBADEAdABUACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEQAQwBMAGIAWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGkARABpAGkAIwA+AA=="
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7205" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | owen-wilson-wow-api.onrender.com | udp |
| US | 216.24.57.3:443 | owen-wilson-wow-api.onrender.com | tcp |
| US | 8.8.8.8:53 | 3.57.24.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update-vinc.in.net | udp |
| NL | 194.87.31.176:443 | update-vinc.in.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.31.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| N/A | 194.50.153.183:80 | 194.50.153.183 | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 183.153.50.194.in-addr.arpa | udp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.113.82.140.in-addr.arpa | udp |
| NL | 185.209.161.189:80 | 185.209.161.189 | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.161.209.185.in-addr.arpa | udp |
| NL | 2.22.54.122:443 | www.bing.com | tcp |
| NL | 2.22.54.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 122.54.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/4828-134-0x00007FFE602B0000-0x00007FFE602B2000-memory.dmp
memory/4828-135-0x00007FF6AAEB0000-0x00007FF6AE22C000-memory.dmp
memory/2300-139-0x000001C1EA210000-0x000001C1EA232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilcnrcqt.0wj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2300-149-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/2300-150-0x000001C1E9950000-0x000001C1E9960000-memory.dmp
memory/2300-151-0x000001C1E9950000-0x000001C1E9960000-memory.dmp
memory/2300-152-0x000001C1E9950000-0x000001C1E9960000-memory.dmp
memory/2300-155-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4616-166-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/4616-167-0x0000017B0D100000-0x0000017B0D110000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1bad2704664b4c1a190586ec492be65f |
| SHA1 | 1c98e6645c66774152c184d23f7a3178ce522e7b |
| SHA256 | 5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e |
| SHA512 | 668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0 |
memory/4616-168-0x0000017B0D100000-0x0000017B0D110000-memory.dmp
memory/4616-170-0x0000017B0D100000-0x0000017B0D110000-memory.dmp
memory/4616-171-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/4616-172-0x0000017B0D100000-0x0000017B0D110000-memory.dmp
memory/4616-173-0x0000017B0D100000-0x0000017B0D110000-memory.dmp
memory/4616-175-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/3836-176-0x0000000000400000-0x0000000000464000-memory.dmp
memory/3836-178-0x0000000000400000-0x0000000000464000-memory.dmp
memory/3064-179-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/3064-180-0x000001CA62880000-0x000001CA62890000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fc28168b916bf9744961653d503e1164 |
| SHA1 | 71deadab13b81a414582f931e9af010152463644 |
| SHA256 | a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9 |
| SHA512 | 08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9 |
memory/3064-191-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp
memory/3064-192-0x000001CA62880000-0x000001CA62890000-memory.dmp
memory/3064-193-0x000001CA62880000-0x000001CA62890000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe
| MD5 | d076c4b5f5c42b44d583c534f78adbe7 |
| SHA1 | c35478e67d490145520be73277cd72cd4e837090 |
| SHA256 | 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8 |
| SHA512 | b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638 |
C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe
| MD5 | d076c4b5f5c42b44d583c534f78adbe7 |
| SHA1 | c35478e67d490145520be73277cd72cd4e837090 |
| SHA256 | 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8 |
| SHA512 | b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638 |
C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
| MD5 | 6736c0e1179296ff6dfa0191ac874c7a |
| SHA1 | 89566e42fb866eecf5e8282b967461299ab7a08c |
| SHA256 | c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4 |
| SHA512 | 85791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c |
C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
| MD5 | 6736c0e1179296ff6dfa0191ac874c7a |
| SHA1 | 89566e42fb866eecf5e8282b967461299ab7a08c |
| SHA256 | c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4 |
| SHA512 | 85791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c |
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 7f4c4965a2f78d6de87d304fdd355abf |
| SHA1 | 87a05c16753a036126677fe53118c07d36c0e671 |
| SHA256 | ed489607187114988306637dae2b81eff225315a8a8ee221249d14430f264fdb |
| SHA512 | 41c949862477065b8f537670b6747074c9e543753812fcb28b02be12b1bbf0fb8b9473ea0859fb1450fee848d62d4c70249d09f48a5e5eac15eb510b70b3f741 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 7cebec977eb671d25c4160ee75cbf124 |
| SHA1 | e09e0e906834b7f2ec270ba589a01e455ebdf0d1 |
| SHA256 | f0e78c63d52116f121709480935013c26a99bd85ba6bfd5100bc5e4411c7178e |
| SHA512 | b79c8d6d4c947fdee755ef81c5c36d657ca1b4030c8f90f906961a22968c98d8fb6e33302191c28135c2593598876b6921f766270a50063754927b4404c798d1 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 270d4612657b69eda3ebbb1207fc8cd7 |
| SHA1 | e023ff99c13c056fa7f80b55dc12f1d02df92114 |
| SHA256 | 83b0eb7eee4c982f034d53b7541758fac699956433baeedf9b8f4494e367b5e7 |
| SHA512 | 6fe46a7dd1fc6930646e3ba08306e1cfe826dcba6b7e3af1c9439157f35919739940e1d8143c6abecfa83f6b92d324764dfa8ca54dca91250b849c2cd138e6fe |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 018ccdb718d3ad7641fecfdad0fbeb4e |
| SHA1 | 46cdffdea8e44b455873659a35dcd973364a84dd |
| SHA256 | 708b3379e029aafb112f890a6ae10f2a4eebe52eef991d2d6136a11fe84143b5 |
| SHA512 | dcd1494429ced81dfbcc83cb8c87d4cd42719d53918834e16691c0d068631ae39fe0381c668e92341a5cdccf75877c2af3ae81c66b6d37e4b149f68a06ab2803 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 4762f0b6652250641a06e2029d6dda23 |
| SHA1 | bfa7925486f951f729b3ce47caa6ff52330420ad |
| SHA256 | 1e9654f0b077cfb8c393cb6cfd3d2b7918d87d56eaaf14f8523a582343d13b4e |
| SHA512 | 33227e64cc34f7e591f6a26b6eaef2f2b4369050e5a2c544413b8f8264114083a93fa70911810c19390ed3d1724bd73c135a2acf11f12f70892f20609593c72d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\4.exe
| MD5 | a761e93d5993567d382af163745760ad |
| SHA1 | 27bd150490cd443a60bb70fa8b83299d75e02779 |
| SHA256 | 1edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1 |
| SHA512 | c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa |
C:\Users\Admin\AppData\Local\Temp\main\4.exe
| MD5 | a761e93d5993567d382af163745760ad |
| SHA1 | 27bd150490cd443a60bb70fa8b83299d75e02779 |
| SHA256 | 1edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1 |
| SHA512 | c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa |
memory/2852-239-0x0000000000B60000-0x0000000000B6C000-memory.dmp
memory/2852-240-0x0000000073600000-0x0000000073DB0000-memory.dmp
memory/2852-241-0x0000000005970000-0x0000000005F14000-memory.dmp
memory/2852-243-0x0000000005460000-0x00000000054F2000-memory.dmp
memory/2852-244-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/2852-245-0x0000000005430000-0x000000000543A000-memory.dmp
memory/2852-246-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/4132-247-0x0000000003050000-0x0000000003086000-memory.dmp
memory/4132-248-0x0000000073600000-0x0000000073DB0000-memory.dmp
memory/4132-249-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/4132-250-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/4132-251-0x0000000005850000-0x0000000005E78000-memory.dmp
memory/4132-252-0x0000000005E80000-0x0000000005EA2000-memory.dmp
memory/4132-253-0x0000000005F20000-0x0000000005F86000-memory.dmp
memory/4132-263-0x0000000006620000-0x000000000663E000-memory.dmp
memory/4132-264-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/4132-269-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/2852-280-0x0000000073600000-0x0000000073DB0000-memory.dmp
memory/4132-281-0x000000007F480000-0x000000007F490000-memory.dmp
memory/4132-279-0x0000000006BD0000-0x0000000006BEE000-memory.dmp
memory/4132-268-0x0000000006C30000-0x0000000006C62000-memory.dmp
memory/4132-282-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/4132-283-0x0000000007930000-0x000000000794A000-memory.dmp
memory/4132-285-0x00000000079A0000-0x00000000079AA000-memory.dmp
memory/4132-287-0x0000000007BC0000-0x0000000007C56000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 094987ceeda8953af67c8f5b0c7179ba |
| SHA1 | f03cf12f669e6a79cc614669f41e51de77cfc290 |
| SHA256 | d6868f311d61c1d5e09468effe5842c47c45524e06f6c8d0e3e79960986c9b02 |
| SHA512 | 7a0d7ff99bb2b893959ea4332901334fe89a490c6cb1ebbe7ee0ed25f1bdd6398a667099d8e8fa572b7aa7b88bdd9114e1b2513ab8122bccc4e53d2704d05622 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e4155d52bb04a3e272b7fc644329b9b3 |
| SHA1 | 737f31d70a25a552c47d214685f18c66326e7865 |
| SHA256 | 7d0ddb4d7fc1dcb59b726e62a0b96c468d836e4ba5a0d2dfabf005d2a0ee293a |
| SHA512 | 689d1833032ab05f92eb7929dbb7ac68b584fb46a28e3b690d5ea9cedde48c1064d8a81de5a1a1e3bb022e93ec314227174ef1cdcc8fb86d02679a716f31e34c |
memory/2852-292-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/4132-293-0x0000000007B70000-0x0000000007B7E000-memory.dmp
memory/4132-295-0x0000000073600000-0x0000000073DB0000-memory.dmp
memory/4132-294-0x0000000007CA0000-0x0000000007CBA000-memory.dmp
memory/4132-296-0x00000000053E0000-0x00000000053E8000-memory.dmp
memory/4132-297-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/4132-298-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2852-300-0x0000000073600000-0x0000000073DB0000-memory.dmp
memory/4132-302-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/4132-303-0x000000007F480000-0x000000007F490000-memory.dmp
memory/4132-306-0x0000000073600000-0x0000000073DB0000-memory.dmp