redline | 89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
25-07-2021 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9E410393702B6902ABDE53FC8B588527.exe
Size

2.3MB
MD5

9e410393702b6902abde53fc8b588527
SHA1

0a4d2250a4d47e4e9993e0e806545d8731fe5b35
SHA256

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
SHA512

66353988d7a905232f1a7462397c4cc1eba7eed1a819a6f5ed22ddff050f97624a702d3780c535eef08eac0bebde1b9d4a92f08c35fcab266e6a77ab3c5f5386

Score

10^/10

redline @menvzlomali discovery evasion infostealer spyware stealer suricata themida trojan

Malware Config

Extracted

Family

redline

Botnet

@menvzlomali

xetadycami.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe	family_redline

suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exemine.execlip.exeMicrosoftApi.exeMicrosoftApi.execlip.exe

pid	process
1812	7z.exe
1728	7z.exe
1704	7z.exe
832	7z.exe
1556	7z.exe
1256	@menvzlomali.exe
348	mine.exe
1956	clip.exe
1440	MicrosoftApi.exe
1560	MicrosoftApi.exe
1788	clip.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe

Loads dropped DLL 15 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exemine.execlip.execlip.exe

pid	process
1152	cmd.exe
1812	7z.exe
1152	cmd.exe
1728	7z.exe
1152	cmd.exe
1704	7z.exe
1152	cmd.exe
832	7z.exe
1152	cmd.exe
1556	7z.exe
1256	@menvzlomali.exe
1256	@menvzlomali.exe
348	mine.exe
1956	clip.exe
1788	clip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\mine.exe	themida
C:\Users\Admin\AppData\Local\Temp\mine.exe	themida
behavioral1/memory/348-105-0x000000013FC10000-0x000000013FC11000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\mine.exe	themida
\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe	themida
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe	themida
behavioral1/memory/1440-118-0x000000013F4B0000-0x000000013F4B1000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe	themida
behavioral1/memory/1560-134-0x000000013F740000-0x000000013F741000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftApi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

pid process

348 mine.exe
1440 MicrosoftApi.exe
1560 MicrosoftApi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

clip.exe

description pid process target process

PID 1956 set thread context of 1788 1956 clip.exe clip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1248 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

940 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

@menvzlomali.exe

pid process

1256 @menvzlomali.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

@menvzlomali.exeMicrosoftApi.exe

pid process

1256 @menvzlomali.exe
1256 @menvzlomali.exe
1560 MicrosoftApi.exe

pid	process
348	mine.exe
1440	MicrosoftApi.exe
1560	MicrosoftApi.exe

description	pid	process	target process
PID 1956 set thread context of 1788	1956	clip.exe	clip.exe

pid	process
1248	schtasks.exe

pid	process
940	timeout.exe

pid	process
1256	@menvzlomali.exe

pid	process
1256	@menvzlomali.exe
1256	@menvzlomali.exe
1560	MicrosoftApi.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.execlip.exeMicrosoftApi.exe

description	pid	process
Token: SeRestorePrivilege	1812	7z.exe
Token: 35	1812	7z.exe
Token: SeSecurityPrivilege	1812	7z.exe
Token: SeSecurityPrivilege	1812	7z.exe
Token: SeRestorePrivilege	1728	7z.exe
Token: 35	1728	7z.exe
Token: SeSecurityPrivilege	1728	7z.exe
Token: SeSecurityPrivilege	1728	7z.exe
Token: SeRestorePrivilege	1704	7z.exe
Token: 35	1704	7z.exe
Token: SeSecurityPrivilege	1704	7z.exe
Token: SeSecurityPrivilege	1704	7z.exe
Token: SeRestorePrivilege	832	7z.exe
Token: 35	832	7z.exe
Token: SeSecurityPrivilege	832	7z.exe
Token: SeSecurityPrivilege	832	7z.exe
Token: SeRestorePrivilege	1556	7z.exe
Token: 35	1556	7z.exe
Token: SeSecurityPrivilege	1556	7z.exe
Token: SeSecurityPrivilege	1556	7z.exe
Token: SeDebugPrivilege	1256	@menvzlomali.exe
Token: SeDebugPrivilege	1956	clip.exe
Token: SeDebugPrivilege	1560	MicrosoftApi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9E410393702B6902ABDE53FC8B588527.execmd.exe@menvzlomali.exemine.exeMicrosoftApi.execmd.exetaskeng.execlip.execlip.exe

description	pid	process	target process
PID 484 wrote to memory of 1152	484	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 484 wrote to memory of 1152	484	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 484 wrote to memory of 1152	484	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 484 wrote to memory of 1152	484	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 1152 wrote to memory of 1996	1152	cmd.exe	mode.com
PID 1152 wrote to memory of 1996	1152	cmd.exe	mode.com
PID 1152 wrote to memory of 1996	1152	cmd.exe	mode.com
PID 1152 wrote to memory of 1812	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1812	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1812	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 832	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 832	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 832	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1556	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1556	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 1556	1152	cmd.exe	7z.exe
PID 1152 wrote to memory of 468	1152	cmd.exe	attrib.exe
PID 1152 wrote to memory of 468	1152	cmd.exe	attrib.exe
PID 1152 wrote to memory of 468	1152	cmd.exe	attrib.exe
PID 1152 wrote to memory of 1256	1152	cmd.exe	@menvzlomali.exe
PID 1152 wrote to memory of 1256	1152	cmd.exe	@menvzlomali.exe
PID 1152 wrote to memory of 1256	1152	cmd.exe	@menvzlomali.exe
PID 1152 wrote to memory of 1256	1152	cmd.exe	@menvzlomali.exe
PID 1256 wrote to memory of 348	1256	@menvzlomali.exe	mine.exe
PID 1256 wrote to memory of 348	1256	@menvzlomali.exe	mine.exe
PID 1256 wrote to memory of 348	1256	@menvzlomali.exe	mine.exe
PID 1256 wrote to memory of 348	1256	@menvzlomali.exe	mine.exe
PID 1256 wrote to memory of 1956	1256	@menvzlomali.exe	clip.exe
PID 1256 wrote to memory of 1956	1256	@menvzlomali.exe	clip.exe
PID 1256 wrote to memory of 1956	1256	@menvzlomali.exe	clip.exe
PID 1256 wrote to memory of 1956	1256	@menvzlomali.exe	clip.exe
PID 348 wrote to memory of 1440	348	mine.exe	MicrosoftApi.exe
PID 348 wrote to memory of 1440	348	mine.exe	MicrosoftApi.exe
PID 348 wrote to memory of 1440	348	mine.exe	MicrosoftApi.exe
PID 1440 wrote to memory of 1856	1440	MicrosoftApi.exe	cmd.exe
PID 1440 wrote to memory of 1856	1440	MicrosoftApi.exe	cmd.exe
PID 1440 wrote to memory of 1856	1440	MicrosoftApi.exe	cmd.exe
PID 1856 wrote to memory of 940	1856	cmd.exe	timeout.exe
PID 1856 wrote to memory of 940	1856	cmd.exe	timeout.exe
PID 1856 wrote to memory of 940	1856	cmd.exe	timeout.exe
PID 1856 wrote to memory of 1248	1856	cmd.exe	schtasks.exe
PID 1856 wrote to memory of 1248	1856	cmd.exe	schtasks.exe
PID 1856 wrote to memory of 1248	1856	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 1560	1748	taskeng.exe	MicrosoftApi.exe
PID 1748 wrote to memory of 1560	1748	taskeng.exe	MicrosoftApi.exe
PID 1748 wrote to memory of 1560	1748	taskeng.exe	MicrosoftApi.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1956 wrote to memory of 1788	1956	clip.exe	clip.exe
PID 1788 wrote to memory of 1336	1788	clip.exe	clip.exe
PID 1788 wrote to memory of 1336	1788	clip.exe	clip.exe
PID 1788 wrote to memory of 1336	1788	clip.exe	clip.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

468 attrib.exe

pid	process
468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe
"C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\attrib.exe
attrib +H "@menvzlomali.exe"
3⤵
- Views/modifies file attributes
PID:468

C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
"@menvzlomali.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\mine.exe
"C:\Users\Admin\AppData\Local\Temp\mine.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp602A.tmp.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
7⤵
- Creates scheduled task(s)
PID:1248

C:\Users\Admin\AppData\Local\Temp\clip.exe
"C:\Users\Admin\AppData\Local\Temp\clip.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\clip.exe
"C:\Users\Admin\AppData\Local\Temp\clip.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\clip.exe
C:\Users\Admin\AppData\Local\Temp\clip.exe
6⤵
PID:1336

C:\Windows\system32\taskeng.exe
taskeng.exe {06224B39-8A1C-4C6E-9B3B-C9C10C8588B8} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
MD5
9c238b66e8e878add3c6d5ec2bb2b8ee

SHA1
01a129285a5738e6acf88d76e8861d7e4f66cf6d

SHA256
0b17daf75f88addfa5ea28e546842453b6b8e8677c81e6af5bced446a7e7cd10

SHA512
b00d7825e4da91645a3e723b0873ec98a96b40eacb4f3b070e8ddc46ecd6a3891dc62c835734e8fb3d26e82f18bd55813149f09c09f0b86d940c994f342b8092

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
MD5
17c65e9dd39033b1498d5b7127235bdb

SHA1
3f91c363bc3ae2ccbd4bdda2b8e2a327738af446

SHA256
4899f8459fa43698d043dd55347d7afde5529222dc09a9b5b46515d4dc78dbeb

SHA512
58a64286a2964cd8ff4877f5f4895cec01ed3135568c945d2232295f33fc1b19a30dc7fd5567fa4db46ac5e55ba29bb811cf89bdb4e12e7312cf73576c01c133

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
MD5
960172e158c04fe1a52ec200f8b603e3

SHA1
f866ab4b93f39adecf47053f9c4150c67f159d45

SHA256
b6fc5a261199c4cfbc37c61c26439a95bf2f302889e39e48b2926fd03270328d

SHA512
9d07a9d90dd87ff49087c56cb33e533d487806afbb57a41a72ac1f68cd8736aaaa2660c2449204652928a5edca3da12518701e6e1adf731b37b82267d993017d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
MD5
b8ac7bef4565972b105784581c036b1f

SHA1
3b2e982bdfbddac1e34edc0e0e270f9280767dab

SHA256
638e31294512e587d4f5f464ae12dd9319cbf0e29b17b0f69ff06c8c12c6549f

SHA512
d3d566a5d3e731e1aed6b59086f2206b49512b1b99183dfb1e38f37f0ff1694aca66bb17c3ee2fd9fb65ebd7986479ec8af392683b3f45affe450604ba8c4c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
MD5
6104565d86f6897d5598ca576d0cdb34

SHA1
5c6249bb6f5f4648549bebc9f6c27d27cc0cf470

SHA256
b9badec8e882abe16db8a7b85e168cd712b99bb75cee0cc5c2b66fbeda07f4d8

SHA512
b6f593d4ff0a4050b7fa907242298ec25dae653073b1a13a1ea13afaabc91d1db4a1c0857b4cccf93dc78d95156a8ca05fe1af95bab568e6720582f83607df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
MD5
1db985429ea59b5e0ee3bf05de444e3f

SHA1
f5a960489b8141fcf746db2e1b9cc899cc839db5

SHA256
1b7c0b233b405bf1c9534319ddce9b72e61e6701c41287684e5f4f489d5f51bd

SHA512
cf8758b04a3d924c4608df42d0eef538925bb86c26fc3918cf838f827380bbe891f28e13537fb4bdde340c020bbf347e65c5bc19efdc643ea1d3f8b87d8c5f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
MD5
95e9d038587986bbfae1f3ff2703751c

SHA1
f755fc147be4c89a8f4a8ef8303458a9c2f384c7

SHA256
e94dc2d6675a9b0bef924a79e67e01107ac1725704c7c870939833c2e0ec7c22

SHA512
472969d8183aad603ff6063aa69b233833fe193f3f06b6fbee2c032bafe031900cbc35251219c4b850584bd4721bb132252a3bbc695056ddf92fb0416d142e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp602A.tmp.cmd
MD5
c24e27a1272b1ac418b976f08f81b827

SHA1
60cd9feafd831e1732da6454ee03996f8ea13c1e

SHA256
ab996320c3a2335c3ebedd9695b4ae40bb3bad17e0c3e09149dd4dd787322a54

SHA512
e829ff58ba1fa8ebb9be5f4b226714afc242a38e3da75d9f3958d6797e431e758577bb86642d46e22e114038fcc9ad093fbd0fc6ec30d551e23c2c614cf034a5

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dll
MD5
5a5ab6c6bf9a23d07bc72cc19c37a432

SHA1
12fd67b780088a9d95eecd06c59658447e42f65c

SHA256
85ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791

SHA512
16f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
\Users\Admin\AppData\Local\Temp\mine.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
memory/348-100-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/348-121-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/348-98-0x0000000000000000-mapping.dmp

Download
memory/348-105-0x000000013FC10000-0x000000013FC11000-memory.dmp

Filesize
4KB

Download
memory/348-110-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/468-91-0x0000000000000000-mapping.dmp

Download
memory/484-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/832-80-0x0000000000000000-mapping.dmp

Download
memory/940-125-0x0000000000000000-mapping.dmp

Download
memory/1152-60-0x0000000000000000-mapping.dmp

Download
memory/1248-127-0x0000000000000000-mapping.dmp

Download
memory/1256-92-0x0000000000000000-mapping.dmp

Download
memory/1256-96-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1256-94-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1440-122-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/1440-115-0x0000000000000000-mapping.dmp

Download
memory/1440-120-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1440-126-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1440-118-0x000000013F4B0000-0x000000013F4B1000-memory.dmp

Filesize
4KB

Download
memory/1556-85-0x0000000000000000-mapping.dmp

Download
memory/1560-131-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1560-138-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-136-0x000000001D3E0000-0x000000001D3E2000-memory.dmp

Filesize
8KB

Download
memory/1560-134-0x000000013F740000-0x000000013F741000-memory.dmp

Filesize
4KB

Download
memory/1560-133-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/1560-129-0x0000000000000000-mapping.dmp

Download
memory/1704-75-0x0000000000000000-mapping.dmp

Download
memory/1728-70-0x0000000000000000-mapping.dmp

Download
memory/1788-148-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1788-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1788-143-0x000000000040E80E-mapping.dmp

Download
memory/1788-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1812-65-0x0000000000000000-mapping.dmp

Download
memory/1856-123-0x0000000000000000-mapping.dmp

Download
memory/1956-102-0x0000000000000000-mapping.dmp

Download
memory/1956-140-0x00000000006C0000-0x00000000006D4000-memory.dmp

Filesize
80KB

Download
memory/1956-139-0x0000000004C80000-0x0000000004CD5000-memory.dmp

Filesize
340KB

Download
memory/1956-128-0x0000000000440000-0x000000000046D000-memory.dmp

Filesize
180KB

Download
memory/1956-112-0x0000000000C00000-0x0000000000C4E000-memory.dmp

Filesize
312KB

Download
memory/1956-111-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1956-108-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1996-62-0x0000000000000000-mapping.dmp

Download