Malware Analysis Report

2025-03-15 05:17

Sample ID 231212-pdlvtacfgl
Target 0x0006000000023125-1062.dat
SHA256 642da4d1db6d446d3d119e7f8f56b98b41d5fc931e0112325bc4fbd70b05314c
Tags
smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

642da4d1db6d446d3d119e7f8f56b98b41d5fc931e0112325bc4fbd70b05314c

Threat Level: Known bad

The file 0x0006000000023125-1062.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline zgrat @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader rat trojan

Glupteba payload

Glupteba

RedLine

SmokeLoader

Detect ZGRat V1

ZGRat

RedLine payload

Smokeloader family

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 12:12

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 12:12

Reported

2023-12-12 12:15

Platform

win7-20231020-en

Max time kernel

39s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E995.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE9.exe
PID 1180 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE9.exe
PID 1180 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE9.exe
PID 1180 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE9.exe
PID 1180 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\E995.exe
PID 1180 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\E995.exe
PID 1180 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\E995.exe
PID 1180 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\E995.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"

C:\Users\Admin\AppData\Local\Temp\ABE9.exe

C:\Users\Admin\AppData\Local\Temp\ABE9.exe

C:\Users\Admin\AppData\Local\Temp\E995.exe

C:\Users\Admin\AppData\Local\Temp\E995.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp" /SL5="$7011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231212121339.log C:\Windows\Logs\CBS\CbsPersist_20231212121339.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\4378.exe

C:\Users\Admin\AppData\Local\Temp\4378.exe

C:\Users\Admin\AppData\Local\Temp\482A.exe

C:\Users\Admin\AppData\Local\Temp\482A.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 cb4e6896-3b7e-49b4-a61d-8649a129c2ab.uuid.myfastupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FR 185.221.198.96:80 tcp

Files

memory/2348-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2348-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1180-1-0x0000000002A80000-0x0000000002A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABE9.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2144-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2144-17-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2144-18-0x0000000004E40000-0x0000000004E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E995.exe

MD5 4ee408d798b675ddb4fca13c0c10b77b
SHA1 f331dfa9c7827d1bb045999165d8a684230247e1
SHA256 b7fd6c9a2511c009257fc4bff9758719ba6a255471aee463c537234c9628d9eb
SHA512 e13ac88e59b104b9b2cf0e86aad04ef66246cefe17a21eb5748baca456a618bfc2f059d1a9da243c0c9e6a8a71b33fb2542fde374c0be5592378f55fe40e89e8

C:\Users\Admin\AppData\Local\Temp\E995.exe

MD5 b94260a800904aed3066679b3ec41659
SHA1 a737e1cdabd35dac53f00d4dfa9ff38119b96f29
SHA256 9fcb235f51162ec30ef5349b69c89417bd6be6715c642997fbb525321902f2f1
SHA512 7d7b7a758e3d28cf2852060b5aa7f7ffafe3e9e15bb55daed01d5078ba81ee3f0e3f9885c10ed6fc9cf6f075ddca8bf0de20987527b59b6768b466a06ba7d6e4

memory/2732-26-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2732-27-0x0000000000F60000-0x0000000002416000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3d61b9dc5fdc57d259b7b299afd156bc
SHA1 e2aed00ebc1c59672b37599e655f2b7a2a2487b9
SHA256 d2f159a5a666b1462910d84f1a6b73c43559fa8d25e6e5f34cc4050b42471519
SHA512 d62ae724ab09caa08bec5296e5bce105a23412cde3f918c08baf72080ef09e3fcea13b6548cd74bf4d9ff530969d343d8e088e3d3f62b72067902fd6e79fa7c5

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ccd988d7e038840ff4c16ac2e1d34f73
SHA1 d77a73aebd1d564996dfb3b8d1a6d03bee3dd042
SHA256 5c60ee5997512a97b5e4844ced37a3a7f51b2e8cf4155adb5fb7cfcf228fd4e9
SHA512 fc74a93b2cc25ca4be3cf273cefb2255fb4cc76622a5f291b27864b5d811b785176a6a9dcd1c021ac442f40a881f0685887b3a60fac76e8b5344d34eaa5a1d33

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 85cf2fdbc67f32a1104f27f56381e6d6
SHA1 53a764d0e42f25c219f0820337b1ea4b3c350f8d
SHA256 f596d65e4d0b057a81f7ea50144c192b8fa28494ce0e72b92141991ee5f84003
SHA512 c7420f0e49da906456bc044fb22daeb3f3f6c44b62d89e2f6c9503e97583957395618b1e39fbc2bba846d5e487adbf1cb4f54752dc5c7ae375c1b809db8f10c4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 61ce4c53d5198f9393633555b0358dbc
SHA1 0fb12a9e5e91a0c0761015630a930f200f7dedd1
SHA256 0742c191b8b213689e6aba93bfe8141c311cb88b9bbdbf931aa81058f0975b12
SHA512 60deb2bf17c53cb19af67805c7ef3fd10b4476c1f96de2933ce0b66d533a6835630013c23e47720eb86f862f9cfd9e2df4bd84cba6305a5fe7a9e6ba63d1fddf

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c9b44d171c72e258ee8590c289978206
SHA1 c1eeb36cd7b2b8eb23781f5bc916eaaa281b2e65
SHA256 57548cdf319c57e781453c6ddb9fda5a6d22dbf95d195d60aad155ed8b550445
SHA512 4247162453e36120d627a0a62c281d22d5134df9e7de55f805b48cf1a3899298595c138ba913f942d1a86deee1cfdf770cb3ce77ffaee5da9af88a589155e1d3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d80b477a48342d09535f36919e139380
SHA1 c38fa2a9491e510575fe653423ef6fe24aa22a95
SHA256 645385bae6c647647b2656a43a0993fb13a4866bfedcb0e8fe20043d05592585
SHA512 130f1202e22dca67fc0d8a8825732b722eabb21e9e38f85ac9de6e0c53b38beb41cd0419fe2358001c61d4837907d9d0b3b1d1f5c13f1390b9498b69b7c9ae82

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9181420c8eda830a8022ce87c7a782a7
SHA1 ad33d01a43a59ed154695dcf4682ab500b4aa9c3
SHA256 3fc9993a28dac134f3bf61ccb0a40cdb1d25688c153789194b953f8777c121d6
SHA512 4e7ce8da945b5f38a356b40b2aab8fd2778e7951767060d2c8a53ff1c1cc448d7d5e5e6b56be1a79d0cc74eac8f72968419e3446746525fd15d954b102f96237

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 479e80ae84dd1db5aa6dded12cc92df2
SHA1 3d6e1fc05ab7ebf96fcf2f68b693a18ab804750c
SHA256 69aaab7f475b5036db517b6ef6d9fbbad6afa529c7697c7391301d63641121db
SHA512 732df4db6dd69fb7ee9af1b820a04e5a1fdd36cac6f7b1755a7dfee88303d020c9402340f064766a3f04caf6827cac05eb219186185eab6dc5266ea4f793bde4

memory/2808-61-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 00dc8f86d96bfd96e0ccf9419c870d98
SHA1 c86017df86171b496532c81310759d4e5ad1ec06
SHA256 84056a7cfda657c841597140ea0be296bccff4837a2f83935e4271b915d04cdf
SHA512 d87b87becd344712ad9736191fd5fe9468145e3c795fae90b99c837b7b737661f6c71086f8b29f55e411450958d9d618345985852a05a48b3c7c462e318e1e7d

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5df4eb999cdc77ca08e40683ee0f5041
SHA1 bb13c97d01717cc218ddbbe991c8aac2335b43d1
SHA256 41c99e6873f9569da65ec752f2dce556ee08d4c0c6ce05950c41a7e05cf626fd
SHA512 59f42991e9eee9fa8f90feceeb42775bda20bf4c989ae82ac7e593dd6255b670fee3be5e3f6732f97cb7f289eee91ba25c9ca70f4418772dabd90d52db284a74

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 40658b8fd84093d2d74605677394c8ca
SHA1 eef7081d6334a85c3b0fa7933c64fb48892d3b83
SHA256 3c9b07ffeb516c197199d0b64521c485ddbf037eeebe82a983c64f9f02ce8c5e
SHA512 a80fe11abbd2827d60b9d615fefc8fe6cb5c4a5b474db69a0bb0c77f63882615b711209ba10af231c81e1143891343b69fbf39d325afc31a0b31f5299f3e8234

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 0a90f231fcfede6e071cfa5e88b244f7
SHA1 161954936f6bef19c895d6798a9ebc1e36eb8d5f
SHA256 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e
SHA512 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171

C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp

MD5 7a8cd2511d6ddbd7bb6bb3e32cd6fca3
SHA1 a12964cbaf25bfe85d8e2039a80b63510db3d05d
SHA256 d4002faa1a4db8b6ab0dbc722b0b596074bc2d9a1e78568f86fed5a9e74f3c4b
SHA512 cacc07df6d95fd19670e3ee62edb768d2bcf9dfe432d03a25dad7d6e61738dc63ed513d140f003e9e7f73f1dfd013b5c0352bdc2333d232b5199a6f7606adf71

\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp

MD5 84c35e4d63f9a05eed6ed2ab79db5cb1
SHA1 3c79ef1fc68391c6959aeee14e6e88f8e637b54d
SHA256 a64c4169896e559cdf37df8a11ee8f9274754eb723aec18b789c72240adc267c
SHA512 c1f8c0bf21b2954590c9992b720a0da6a3748a7403c8b3d890b9d0553cfcbd0633378439f7edd9c0f747390b08788a2d2c9ab1cd41893ee2b5b6e13cf0b69fd6

\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2004-100-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1940-79-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 1e8bd63c32c0ab2bdd62d30fd8686369
SHA1 ea0c1477d450837d1a01545b401ea4450de090a2
SHA256 10cc6b44a356a155c2a60fce044cac0fdd2e8666deac687c9f43d33da02a5529
SHA512 63006a7338ff30b368fba2f0550b37ed0d00df6243e8b08204529bfd0086f4cc994a73267645f896fdec9201f97f7709bb278b2a60f5c06ed5dc85dc9fc5db82

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 231853bc9e7500bf9a61f3b22fe99c21
SHA1 d250790d7d791be36b5d89eb9e2321967c9bafd3
SHA256 06617d56d109315ab2986657c74cbec5ae06a18e45051b39cd39464a464feef2
SHA512 866d9cd0823674c5346163f70ad949c3044f8fede228be2404d852fe9f0d884e668378c108664a98ec026eedc3173730c458e97ecd2b355846946f775eb65ec5

memory/2732-104-0x0000000074190000-0x000000007487E000-memory.dmp

memory/688-106-0x00000000027D0000-0x0000000002BC8000-memory.dmp

memory/3056-107-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/1600-113-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 858cb15eee92b02fd28b281e14786d1f
SHA1 a67c51848cc984c98b395809bf623b5d9beb6d6a
SHA256 677a1df6f0d6c277a495ae4b43f8e0d9aa4b6d12b32e7e15d13b54fedc4306c5
SHA512 32e343da4b954b3efb99eced29668d22ec31cd0976e4936624ae242d0becc2e17beea07ff02fad2c1b86c6954b89151fe494d7872c445a2e341ba03a7d02ce13

memory/1600-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1600-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-110-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3e7734a0399be046c9cab551e137888d
SHA1 3d3759f0dcf6339941ac99856438e12d41315a7b
SHA256 f5e6b14201df32b4ca0ba34ee5de092f0db509a2ca96985ad6f69cb10a07aa97
SHA512 9c7526e2d9ac03190f24fc9fdabfd29cee968b7d3c782d538e26b11d0c3542048fbd70fbc0cadf6e20fefaaa96f93956b13b131caa7a644bc18aa78bcbd3ad5b

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 764588f1c1d4377c773101a4b4dceefc
SHA1 c02a70bfc93bb7abc458f6fa0fbc0b2148bf3e5d
SHA256 c89028a3f1bc078cad2b8f19905904707c2406417a8fb985c6f2ef3ab7bfda7b
SHA512 8894be855c0bd23eefe214790a5331fb7bdcfc956508ed51bbc448c45cd88f01cef4097d32e3436a0206cff95e3d12aed2d33266d1658a2e47a84537b2adbb7e

memory/688-116-0x00000000027D0000-0x0000000002BC8000-memory.dmp

memory/2144-117-0x0000000074190000-0x000000007487E000-memory.dmp

memory/688-118-0x0000000002BD0000-0x00000000034BB000-memory.dmp

memory/688-119-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4b41c6d208b43153e89c8546ef2a6502
SHA1 d7e0c7ae0bba3ee1e305c9cfa68587f3ec458be9
SHA256 e0b4d92c1b1c0721b638f67cc508e99dd346571509f75d5ddefd58c1439555d5
SHA512 ceffce4b80531042384bbeec566ccf35ba5242479b82157b662364815350b49248c2f2e331234dcbd7fdaef4d870c4ecdca2dc8f077e69160168bf886db9c6a6

memory/2144-121-0x0000000004E40000-0x0000000004E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b8e9dcf95af25c27651f966f89c6e533
SHA1 a87194057e1388cdf695af24b2c1b4facf26efb5
SHA256 459b563ee81205752a903933a51ac214a754a31d1bebf91152612f81c1420ad7
SHA512 e2e5d9cee993cf42d662fdea6f72c9210700478859541e8baf0c8955c3aade542d95107b5cf3b305c5883adf5d52b445cb9969213f20ce3a1962ee0fa02b69c0

memory/688-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/688-124-0x00000000027D0000-0x0000000002BC8000-memory.dmp

memory/1180-125-0x0000000003B60000-0x0000000003B76000-memory.dmp

memory/1600-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/832-130-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/2808-131-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2004-132-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1940-133-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2792-134-0x000000013F660000-0x000000013FC01000-memory.dmp

memory/832-140-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/1940-135-0x0000000000240000-0x0000000000241000-memory.dmp

memory/832-148-0x0000000002A10000-0x00000000032FB000-memory.dmp

memory/2004-149-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/832-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 f47354f5f5b41a08668690480f143c82
SHA1 09d10d77cb09a624cf795952b7a5959299a5d0e8
SHA256 e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d
SHA512 b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590

C:\Windows\rss\csrss.exe

MD5 637d7d5763064d40cea855f65983abfe
SHA1 ed58744377a8ef91cc1a6c270bd4baae3a599945
SHA256 79273d4bc63566ca8e14db3ca22ff5b21e195ab2967e5ef33a1e8493494d685b
SHA512 6c78c86f04141b1fdc65cac6d7b34cef35b7f6a65416c19832e2d3a38620ebea91033a03eeea31103ee7d057324c1bac56e55c3b70b7f5cd2f173527885a06cf

memory/832-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/904-160-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/904-161-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/904-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 58089347f524bdc785724e831cf9ba73
SHA1 d9e0962abe142a94138552a2ea5a58673e6004d5
SHA256 6e53a4bbe5472e4157be02c5d2f355d5529d859835bdf8be2012dcc97534c1c8
SHA512 bdb5c0cef8c0e2dcf3d1609b84b4437c89c8dbd4e2de57523015d0d1fdbcf20e18ade928aa103be45d11b4ab23b880ff8782201464c8c144d946c8d4e7f70ca5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 fff5e71ef3bf4df5bd1e9ad1b3b0f126
SHA1 2a13f1dc9c8220c4927b3479b1e4c36092cb9525
SHA256 f2cc946ebbbf71136596fc1a0f8ba192c7d631da48ded4b8342e4d72ad6b7556
SHA512 378dfd50a2c5b1a0eacd63566a14bad28ee5021054c0b6011a2fd338097d45e90aa66f8e348ef5158cbef79dcac5d23ba3a92df02ace86d1bf6772188774685e

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 784ce8153a4cf7d4b585f8e4fc582eef
SHA1 6a3f305a011397d4f107089510a9eb4d19931c0d
SHA256 33d668d732da391223d8e0c84b008aa3e07b47c370eab811c0a5daa1cac2af0b
SHA512 2ef6a52dcac46c21960ad976746f885b6e54a2d4c2de74144072a9b975c6309792a838c465105e506c1a22657b2dc7a68277df013866298fe45f23373955f681

memory/1692-169-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 88a9b4e88de89e6c388565ec11c92acf
SHA1 651183b0a4e94cabda11dec94aeb137d427cb5a5
SHA256 aa80b3267f08646d2fbf4533c787a95c2427848676c9b54d7ff168aabae9f1a4
SHA512 292ba255a7055f7d56c64fa57734f67a0e33f02e608a84143d1c2da65a9262b2e6a5a100ad6421ecd58b7c4e2f4eb12ffd6a3216f3a205543dfdf12dab09c495

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 66df9e3495058bab45cf5b28604b6ff0
SHA1 875e95d8d14a650a35eb3dae46a6df80cce36564
SHA256 b26428b10dbb7ba9855b4ae5f8da327473b5e1cab00c144a2a268f5f99f80cf0
SHA512 3e7e9a62a8919872e62bae68b78a2d8e05bd9796b1d879b1432867e14073ce468d629f5c4a36f7c23bb855498f154f87fdd8328595159ffde6616101d21f14ef

memory/1692-183-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0e96ee93d85989576503e17b0b3c5b2f
SHA1 421ae73f60b858b5ba4ce4aa731a95b106d52fa9
SHA256 5afbf284fc788a3c76af751469f2c650207191be4dd499b82e3a9feba71e35cf
SHA512 cedafdb6a583ce3bedd79fbdea1faf76cbee3b9075766e992605bb626ee08b77b1785a3c3f78d2c18bece05feb0642c4ad5cfeafcaeb25b662d01387a32be8fc

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 2572753843bbe9b47f53e92829d2a1ce
SHA1 8bcae7e0e0243e5d7c4150469d48c56d3e480f3c
SHA256 87edcac60c652e7c71a1f40c08c562beb50ba341cb55031fe154d245d7d14817
SHA512 9d7673d8e9fe80e9974490278b05b784983635722f4d8ef37935ffbb10ed229659ab45f2f6a29536c58ffddf887095e77bec3a979fac69205dcb489911a43806

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 cd3bdd5ab2334e28fdb24ff515204af3
SHA1 b5be4ee87dafc51b2fddd48034af992db0c538b7
SHA256 5bae926f87eccebe20d3dfa319f1e6e7278afa4774065465245b54520f80836a
SHA512 39c16a07ec42291621e47616a3fb36e1885b747f882b04aa49234db76a1ebacfeb59e2ca6dcc4933d916fcd0624ea75b4d4a6d328fe1298160a7d3b1c0951d89

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 9d6b40236806708ec751b48cfd15ee40
SHA1 b1b4732caa4b291d6452629bcdc474538c2e501b
SHA256 689427deec0dfc84bccab44c66295a5af353f691359980a1b5e8f8b1de6e9a9b
SHA512 61642b74e8917213cc7744eb40714922f806f857c4a0c90b3a5232b200315adff8c6e7b53efc8a18d490c6e82c015278e27876bf03fff931faf2b9b73cbbbaac

C:\Users\Admin\AppData\Local\Temp\Cab3E79.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4025.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\4378.exe

MD5 f83a510e8b059349e4c081c6c04c9339
SHA1 9f2ded6d9fdcb89d92135c0ffd34c97dc4355f90
SHA256 b37260eacdf967cee8ed4532c47b00328373e2c8e2ce5fbf92c7d37e2fe686e5
SHA512 1878abf77f6a44a9673cd7a9aa1c561c72fc491eb88efa9109b6bd715fb810121ab536ebdacff6767c5c9e0318c1bb4da93347968dd3de292d1deb0b800aff69

C:\Users\Admin\AppData\Local\Temp\4378.exe

MD5 559ca9f57a525d3da72a915d8ff1df69
SHA1 a09e091539c0acac33092c6042e52f4697ce0b0b
SHA256 17816b5e3dbf8ae8d614d20425d62efe40edbfc0e7481959d90f053a194feacd
SHA512 9bca16d9f55cae285ebecf16c8502c3fd4b07f083d900a3b4f0a6ca52877455b45beaafba0ba144e1abad7f50f472fd0d0724f1b1fffadbc08123a6a3cf5a577

memory/2632-250-0x0000000000B10000-0x0000000001004000-memory.dmp

memory/2632-252-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2632-254-0x00000000050A0000-0x00000000050E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\482A.exe

MD5 63353d70a6e90b54fac07e0187bbf0ba
SHA1 6149408d97958692b1dc9308a97e1eb4601b8a89
SHA256 86a107ab19bda413112664d0e8df906836d882039fdb2b35391af217788cc77a
SHA512 f16f328e14fbd2ba8841ca723ca145a70061dfb117306160780c3f11d6df423e611042742bbf9e3f96f8d39611271c5dd5b4b1e3d9ed2d8da41a93af841771ab

C:\Users\Admin\AppData\Local\Temp\482A.exe

MD5 708ccdb88001ddca9d8c7136f6a00cbb
SHA1 99cd1ae87a9dd36c81710fa9b5580836d8a005ba
SHA256 b60c0da9547c83564b85cf7190bc7cf86cac15e6866f814d2fd158d5685e35e4
SHA512 09e09afea3ca33f0db87da539c6491578f31a9eb5434ad88ff93c92d9a834634d2ceb5d179f8931fbb35c90626a3d6b29706b30a5d729d1076b73ba7781ff183

memory/2604-260-0x00000000002E0000-0x000000000031C000-memory.dmp

memory/2604-261-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2604-262-0x0000000007180000-0x00000000071C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 12:12

Reported

2023-12-12 12:15

Platform

win10v2004-20231127-en

Max time kernel

70s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6B58.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3432 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3432 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3432 wrote to memory of 4696 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B58.exe
PID 3432 wrote to memory of 4696 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B58.exe
PID 3432 wrote to memory of 4696 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B58.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Users\Admin\AppData\Local\Temp\6B58.exe

C:\Users\Admin\AppData\Local\Temp\6B58.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp" /SL5="$90048,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\BC96.exe

C:\Users\Admin\AppData\Local\Temp\BC96.exe

C:\Users\Admin\AppData\Local\Temp\C6E8.exe

C:\Users\Admin\AppData\Local\Temp\C6E8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/1424-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1424-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3432-1-0x0000000002E60000-0x0000000002E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\6B58.exe

MD5 2996b3040e70cf76c8ffcacd0bcc360e
SHA1 08da260cbfa1ba1a851973563da2ed582079ff66
SHA256 d007b35c733b8c983fe142ce8785852f0782c56a60d5d49556316cfdfc21ab28
SHA512 510a8969159ea383915d704dac74e342dc69ab47ff086c384d921a72286bacdcd3b9d46fdc87970ac9fa9b6a3431c124cf2aec96aa23a27c84a566f8085f6ee4

C:\Users\Admin\AppData\Local\Temp\6B58.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

memory/4696-16-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/4696-17-0x0000000000870000-0x0000000001D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 62a117accf1701d57d4d3b2e30daf6ff
SHA1 0ac915f51c25856b99d303aefcc516a06a8fae9c
SHA256 066c6c0b72add7e6ef1a9d0c1499fd91c9ef0a61e4aea41aedc70c253fa8569b
SHA512 7d05124016a176a9ed10fae15af24090598f2aa56444271462478decf6c682b18958ad07108e478e75bf23353392a633ae5e3ff86c7269884ecbfab3a7adb9c7

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 98eff24d7fa8551dd0b43091ba9e863d
SHA1 e8443f8d734e425c6251c69518552f0bcd1c22a9
SHA256 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451
SHA512 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cce61c1ece398cb8c0354e2375f36002
SHA1 e8536625266a75d3c2d632346ded77f6e2188bdf
SHA256 baf5260412a3ad620bb50edd5e35dc682b1442a691f66dd498c47250d28670e0
SHA512 04d139cc553da0865cf885ec4fa1afa9cb22448b49ab30592aed96ae53214842399e9991577af85e93c779382c47ed1ec7ca38531410f731a5bb9694633f6f7d

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7b80714b983fcb5e0609d602d79a6103
SHA1 9708ef6dbc0a5f80d772e0aafd0fc7d1a75d3abf
SHA256 6dba9f1361c70e6976540cc437cff09fafc9e67e66c28062a10f370719bb76a4
SHA512 da5b01d072c3a6dc1df08290c29e571f5ddc256880b9c3125b623341559193b70cc3f5409235f127db98425d38d9ed900c5af068f4c06333276b037bb7d2ff44

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 2a1ead0f193538b1e134cda851538d51
SHA1 e88412aaae131de89926535a0c631706b4f3456d
SHA256 0bd3b948312dbc87df5959fcc1a2560064fb660b9a4b19a31fa4457e87e4b094
SHA512 a9dc2fbd74928f394741a8a9cd6bd3148d070a7cc452e1966954fb07761a8957a564911a058d327af4bdbe59639455c900493330734a55f73554cb0e2a6b74e1

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 bb62eb5da4f2a9ab8434396d9752fdb0
SHA1 ad269614474763d1b6f1b39e51ff58b99bdd2e13
SHA256 08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e
SHA512 e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1ac6f91f68a718573bc6e310e5267f9c
SHA1 a30f1f046da88ec78fcab903e37f0b8520625d5d
SHA256 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a
SHA512 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381

memory/5016-60-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4404-64-0x0000000000E20000-0x0000000000E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8f8606e11468cfb930caef0754c46b26
SHA1 8510cd7a79ff518db0976a70d62e26388e3ed1b0
SHA256 6e572f82fcfefc19cfe1792eb7c75324c36ea50001a23a54739300eefcb5f892
SHA512 daf1a39442df774cf586e75ad77f17faa3fa08010bca914591cd405bb3192c3316d16904379cf6e6866f56c8308e8a517597e9d1f4f41f2df6d1a893f2a7b57d

C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp

MD5 54bb0d4e8255b55f339cb4e20b537b0b
SHA1 9b8957c8631a57142545c9bd1229cdae402bafea
SHA256 82eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8
SHA512 da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e77422fac1e9d2d11cf7f1c1d57071a4
SHA1 53e63414263dc20ea044c6cbb4fb4fc2c2be6140
SHA256 9d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320
SHA512 d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53

memory/4696-76-0x0000000074720000-0x0000000074ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2AKA5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-2AKA5.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1392-77-0x0000000000760000-0x0000000000761000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 950328525b0af55ad797db64ca914d61
SHA1 7f5700b5e124e6f08cd949e3b73357bb1da768dd
SHA256 cd3f378a7666337bfeb874c137fe88f9e14ec93ecd834bef96d551bff28d961f
SHA512 84a04353c8b7ccbe1b7347271e40b869c5a6dfda3bd08278f89c76920af49ed901f96de7357204ada7d33ca2439f32b06b234f892f65c9de5f37986aa280b40a

memory/3676-220-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 00b5db4a1ddb79833fb147a3e61a974e
SHA1 1da109d6ddfec278e5a9af3fd57ad4ab1dc1eb97
SHA256 9b8004de254854611347d62e6a4887218aba7e05b184aef309d8c177c3dfc0a7
SHA512 07ee3c2f32d0d3d97108e7ef4dfaeb20bf7ebae76f5f25482ab64ada71f9bf4c5a118e1ea6f05dbcfcd548dbf541f707ee94dcfe5c1ef722a20f8af1fa8aed1b

memory/3676-224-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3676-221-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 6fd8416a8283d2b8e9e07849389240e2
SHA1 7b1199727ddfce41daca65c14dc46bf9b4c73653
SHA256 3c01fbbf42a07df2f5fdc7041c68520197f431454d068b85801ea5f756316406
SHA512 a11f7189a04025a1c0f67e025996b38e5537298885bf39f6eb211c20e7e2f7bf328a1996c3e69d00a8e0033dccbadca1167f78dd9c8bac1cdd224b60334d994e

memory/652-227-0x0000000000400000-0x0000000000785000-memory.dmp

memory/652-229-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC96.exe

MD5 4cf3b5310fe387a54cb3055997843750
SHA1 7d4fc5919400c41ea0aab417bb59ea23a2dca211
SHA256 61a0177ff0237daf0e18f02c4d958ad82a2bcfb5c7a8f4c5d5aa6df1c89f6836
SHA512 6f6b6a8f3a86c5299047df86f5ad99d340213317dd5dca932cbf920e9b8a088a644961253c9a92aa4c5f86dbce64e92fd0b17814a9da6993887ef67cbcf2f9c6

memory/4404-235-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1392-237-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5016-236-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2360-238-0x0000000000D00000-0x00000000011F4000-memory.dmp

memory/1748-240-0x00007FF62DC60000-0x00007FF62E201000-memory.dmp

memory/2360-241-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/2360-242-0x0000000006190000-0x0000000006734000-memory.dmp

memory/2360-243-0x0000000005B10000-0x0000000005BA2000-memory.dmp

memory/2360-244-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

memory/2360-247-0x0000000005DF0000-0x0000000005E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C6E8.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/884-250-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/2360-251-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

memory/884-252-0x00000000000D0000-0x000000000010C000-memory.dmp

memory/884-253-0x0000000006F90000-0x0000000006FA0000-memory.dmp