Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-07-2021 01:04
Static task
static1
Behavioral task
behavioral1
Sample
9E410393702B6902ABDE53FC8B588527.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9E410393702B6902ABDE53FC8B588527.exe
Resource
win10v20210410
General
-
Target
9E410393702B6902ABDE53FC8B588527.exe
-
Size
2.3MB
-
MD5
9e410393702b6902abde53fc8b588527
-
SHA1
0a4d2250a4d47e4e9993e0e806545d8731fe5b35
-
SHA256
89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
-
SHA512
66353988d7a905232f1a7462397c4cc1eba7eed1a819a6f5ed22ddff050f97624a702d3780c535eef08eac0bebde1b9d4a92f08c35fcab266e6a77ab3c5f5386
Malware Config
Extracted
redline
@menvzlomali
xetadycami.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe family_redline C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe family_redline -
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
-
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exemine.execlip.exeMicrosoftApi.exeMicrosoftApi.execlip.exepid process 1812 7z.exe 1728 7z.exe 1704 7z.exe 832 7z.exe 1556 7z.exe 1256 @menvzlomali.exe 348 mine.exe 1956 clip.exe 1440 MicrosoftApi.exe 1560 MicrosoftApi.exe 1788 clip.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mine.exeMicrosoftApi.exeMicrosoftApi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe -
Loads dropped DLL 15 IoCs
Processes:
cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exemine.execlip.execlip.exepid process 1152 cmd.exe 1812 7z.exe 1152 cmd.exe 1728 7z.exe 1152 cmd.exe 1704 7z.exe 1152 cmd.exe 832 7z.exe 1152 cmd.exe 1556 7z.exe 1256 @menvzlomali.exe 1256 @menvzlomali.exe 348 mine.exe 1956 clip.exe 1788 clip.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\mine.exe themida C:\Users\Admin\AppData\Local\Temp\mine.exe themida behavioral1/memory/348-105-0x000000013FC10000-0x000000013FC11000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\mine.exe themida \Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe themida C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe themida behavioral1/memory/1440-118-0x000000013F4B0000-0x000000013F4B1000-memory.dmp themida C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe themida behavioral1/memory/1560-134-0x000000013F740000-0x000000013F741000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
mine.exeMicrosoftApi.exeMicrosoftApi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
mine.exeMicrosoftApi.exeMicrosoftApi.exepid process 348 mine.exe 1440 MicrosoftApi.exe 1560 MicrosoftApi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
clip.exedescription pid process target process PID 1956 set thread context of 1788 1956 clip.exe clip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 940 timeout.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
@menvzlomali.exepid process 1256 @menvzlomali.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
@menvzlomali.exeMicrosoftApi.exepid process 1256 @menvzlomali.exe 1256 @menvzlomali.exe 1560 MicrosoftApi.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.execlip.exeMicrosoftApi.exedescription pid process Token: SeRestorePrivilege 1812 7z.exe Token: 35 1812 7z.exe Token: SeSecurityPrivilege 1812 7z.exe Token: SeSecurityPrivilege 1812 7z.exe Token: SeRestorePrivilege 1728 7z.exe Token: 35 1728 7z.exe Token: SeSecurityPrivilege 1728 7z.exe Token: SeSecurityPrivilege 1728 7z.exe Token: SeRestorePrivilege 1704 7z.exe Token: 35 1704 7z.exe Token: SeSecurityPrivilege 1704 7z.exe Token: SeSecurityPrivilege 1704 7z.exe Token: SeRestorePrivilege 832 7z.exe Token: 35 832 7z.exe Token: SeSecurityPrivilege 832 7z.exe Token: SeSecurityPrivilege 832 7z.exe Token: SeRestorePrivilege 1556 7z.exe Token: 35 1556 7z.exe Token: SeSecurityPrivilege 1556 7z.exe Token: SeSecurityPrivilege 1556 7z.exe Token: SeDebugPrivilege 1256 @menvzlomali.exe Token: SeDebugPrivilege 1956 clip.exe Token: SeDebugPrivilege 1560 MicrosoftApi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9E410393702B6902ABDE53FC8B588527.execmd.exe@menvzlomali.exemine.exeMicrosoftApi.execmd.exetaskeng.execlip.execlip.exedescription pid process target process PID 484 wrote to memory of 1152 484 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 484 wrote to memory of 1152 484 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 484 wrote to memory of 1152 484 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 484 wrote to memory of 1152 484 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 1152 wrote to memory of 1996 1152 cmd.exe mode.com PID 1152 wrote to memory of 1996 1152 cmd.exe mode.com PID 1152 wrote to memory of 1996 1152 cmd.exe mode.com PID 1152 wrote to memory of 1812 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1812 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1812 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1728 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1728 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1728 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1704 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1704 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1704 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 832 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 832 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 832 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1556 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1556 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 1556 1152 cmd.exe 7z.exe PID 1152 wrote to memory of 468 1152 cmd.exe attrib.exe PID 1152 wrote to memory of 468 1152 cmd.exe attrib.exe PID 1152 wrote to memory of 468 1152 cmd.exe attrib.exe PID 1152 wrote to memory of 1256 1152 cmd.exe @menvzlomali.exe PID 1152 wrote to memory of 1256 1152 cmd.exe @menvzlomali.exe PID 1152 wrote to memory of 1256 1152 cmd.exe @menvzlomali.exe PID 1152 wrote to memory of 1256 1152 cmd.exe @menvzlomali.exe PID 1256 wrote to memory of 348 1256 @menvzlomali.exe mine.exe PID 1256 wrote to memory of 348 1256 @menvzlomali.exe mine.exe PID 1256 wrote to memory of 348 1256 @menvzlomali.exe mine.exe PID 1256 wrote to memory of 348 1256 @menvzlomali.exe mine.exe PID 1256 wrote to memory of 1956 1256 @menvzlomali.exe clip.exe PID 1256 wrote to memory of 1956 1256 @menvzlomali.exe clip.exe PID 1256 wrote to memory of 1956 1256 @menvzlomali.exe clip.exe PID 1256 wrote to memory of 1956 1256 @menvzlomali.exe clip.exe PID 348 wrote to memory of 1440 348 mine.exe MicrosoftApi.exe PID 348 wrote to memory of 1440 348 mine.exe MicrosoftApi.exe PID 348 wrote to memory of 1440 348 mine.exe MicrosoftApi.exe PID 1440 wrote to memory of 1856 1440 MicrosoftApi.exe cmd.exe PID 1440 wrote to memory of 1856 1440 MicrosoftApi.exe cmd.exe PID 1440 wrote to memory of 1856 1440 MicrosoftApi.exe cmd.exe PID 1856 wrote to memory of 940 1856 cmd.exe timeout.exe PID 1856 wrote to memory of 940 1856 cmd.exe timeout.exe PID 1856 wrote to memory of 940 1856 cmd.exe timeout.exe PID 1856 wrote to memory of 1248 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 1248 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 1248 1856 cmd.exe schtasks.exe PID 1748 wrote to memory of 1560 1748 taskeng.exe MicrosoftApi.exe PID 1748 wrote to memory of 1560 1748 taskeng.exe MicrosoftApi.exe PID 1748 wrote to memory of 1560 1748 taskeng.exe MicrosoftApi.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1956 wrote to memory of 1788 1956 clip.exe clip.exe PID 1788 wrote to memory of 1336 1788 clip.exe clip.exe PID 1788 wrote to memory of 1336 1788 clip.exe clip.exe PID 1788 wrote to memory of 1336 1788 clip.exe clip.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\mode.commode 65,103⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\system32\attrib.exeattrib +H "@menvzlomali.exe"3⤵
- Views/modifies file attributes
PID:468 -
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe"@menvzlomali.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp602A.tmp.cmd""6⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\timeout.exetimeout 47⤵
- Delays execution with timeout.exe
PID:940 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'7⤵
- Creates scheduled task(s)
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\clip.exe"C:\Users\Admin\AppData\Local\Temp\clip.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\clip.exe"C:\Users\Admin\AppData\Local\Temp\clip.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\clip.exeC:\Users\Admin\AppData\Local\Temp\clip.exe6⤵PID:1336
-
C:\Windows\system32\taskeng.exetaskeng.exe {06224B39-8A1C-4C6E-9B3B-C9C10C8588B8} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeC:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
C:\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
C:\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
C:\Users\Admin\AppData\Local\Temp\mine.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
C:\Users\Admin\AppData\Local\Temp\mine.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exeMD5
57212d78e3f10df15da4118f3af590c3
SHA1fd591b0771e0fb440a82c3f939443859360d55c9
SHA256071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283
SHA5128fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exeMD5
57212d78e3f10df15da4118f3af590c3
SHA1fd591b0771e0fb440a82c3f939443859360d55c9
SHA256071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283
SHA5128fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DATMD5
9c238b66e8e878add3c6d5ec2bb2b8ee
SHA101a129285a5738e6acf88d76e8861d7e4f66cf6d
SHA2560b17daf75f88addfa5ea28e546842453b6b8e8677c81e6af5bced446a7e7cd10
SHA512b00d7825e4da91645a3e723b0873ec98a96b40eacb4f3b070e8ddc46ecd6a3891dc62c835734e8fb3d26e82f18bd55813149f09c09f0b86d940c994f342b8092
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zipMD5
17c65e9dd39033b1498d5b7127235bdb
SHA13f91c363bc3ae2ccbd4bdda2b8e2a327738af446
SHA2564899f8459fa43698d043dd55347d7afde5529222dc09a9b5b46515d4dc78dbeb
SHA51258a64286a2964cd8ff4877f5f4895cec01ed3135568c945d2232295f33fc1b19a30dc7fd5567fa4db46ac5e55ba29bb811cf89bdb4e12e7312cf73576c01c133
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zipMD5
960172e158c04fe1a52ec200f8b603e3
SHA1f866ab4b93f39adecf47053f9c4150c67f159d45
SHA256b6fc5a261199c4cfbc37c61c26439a95bf2f302889e39e48b2926fd03270328d
SHA5129d07a9d90dd87ff49087c56cb33e533d487806afbb57a41a72ac1f68cd8736aaaa2660c2449204652928a5edca3da12518701e6e1adf731b37b82267d993017d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zipMD5
b8ac7bef4565972b105784581c036b1f
SHA13b2e982bdfbddac1e34edc0e0e270f9280767dab
SHA256638e31294512e587d4f5f464ae12dd9319cbf0e29b17b0f69ff06c8c12c6549f
SHA512d3d566a5d3e731e1aed6b59086f2206b49512b1b99183dfb1e38f37f0ff1694aca66bb17c3ee2fd9fb65ebd7986479ec8af392683b3f45affe450604ba8c4c63
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zipMD5
6104565d86f6897d5598ca576d0cdb34
SHA15c6249bb6f5f4648549bebc9f6c27d27cc0cf470
SHA256b9badec8e882abe16db8a7b85e168cd712b99bb75cee0cc5c2b66fbeda07f4d8
SHA512b6f593d4ff0a4050b7fa907242298ec25dae653073b1a13a1ea13afaabc91d1db4a1c0857b4cccf93dc78d95156a8ca05fe1af95bab568e6720582f83607df3f
-
C:\Users\Admin\AppData\Local\Temp\svchost\payload.dataMD5
1db985429ea59b5e0ee3bf05de444e3f
SHA1f5a960489b8141fcf746db2e1b9cc899cc839db5
SHA2561b7c0b233b405bf1c9534319ddce9b72e61e6701c41287684e5f4f489d5f51bd
SHA512cf8758b04a3d924c4608df42d0eef538925bb86c26fc3918cf838f827380bbe891f28e13537fb4bdde340c020bbf347e65c5bc19efdc643ea1d3f8b87d8c5f33
-
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmdMD5
95e9d038587986bbfae1f3ff2703751c
SHA1f755fc147be4c89a8f4a8ef8303458a9c2f384c7
SHA256e94dc2d6675a9b0bef924a79e67e01107ac1725704c7c870939833c2e0ec7c22
SHA512472969d8183aad603ff6063aa69b233833fe193f3f06b6fbee2c032bafe031900cbc35251219c4b850584bd4721bb132252a3bbc695056ddf92fb0416d142e68
-
C:\Users\Admin\AppData\Local\Temp\tmp602A.tmp.cmdMD5
c24e27a1272b1ac418b976f08f81b827
SHA160cd9feafd831e1732da6454ee03996f8ea13c1e
SHA256ab996320c3a2335c3ebedd9695b4ae40bb3bad17e0c3e09149dd4dd787322a54
SHA512e829ff58ba1fa8ebb9be5f4b226714afc242a38e3da75d9f3958d6797e431e758577bb86642d46e22e114038fcc9ad093fbd0fc6ec30d551e23c2c614cf034a5
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dllMD5
5a5ab6c6bf9a23d07bc72cc19c37a432
SHA112fd67b780088a9d95eecd06c59658447e42f65c
SHA25685ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791
SHA51216f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
\Users\Admin\AppData\Local\Temp\clip.exeMD5
60645c8fa03001c29963e6646b89602b
SHA16164fca1552bfed57e8c0399a8f38ce2df165d06
SHA2562334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285
SHA5127632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343
-
\Users\Admin\AppData\Local\Temp\mine.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
b4102e57647e9bdc4003fa11198891e5
SHA1e99cb9f6019dce929b5adfcddf002e2359ada930
SHA256ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5
SHA5129dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca
-
memory/348-100-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/348-121-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/348-98-0x0000000000000000-mapping.dmp
-
memory/348-105-0x000000013FC10000-0x000000013FC11000-memory.dmpFilesize
4KB
-
memory/348-110-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/468-91-0x0000000000000000-mapping.dmp
-
memory/484-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/832-80-0x0000000000000000-mapping.dmp
-
memory/940-125-0x0000000000000000-mapping.dmp
-
memory/1152-60-0x0000000000000000-mapping.dmp
-
memory/1248-127-0x0000000000000000-mapping.dmp
-
memory/1256-92-0x0000000000000000-mapping.dmp
-
memory/1256-96-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/1256-94-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1440-122-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1440-115-0x0000000000000000-mapping.dmp
-
memory/1440-120-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1440-126-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1440-118-0x000000013F4B0000-0x000000013F4B1000-memory.dmpFilesize
4KB
-
memory/1556-85-0x0000000000000000-mapping.dmp
-
memory/1560-131-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1560-138-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/1560-136-0x000000001D3E0000-0x000000001D3E2000-memory.dmpFilesize
8KB
-
memory/1560-134-0x000000013F740000-0x000000013F741000-memory.dmpFilesize
4KB
-
memory/1560-133-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1560-129-0x0000000000000000-mapping.dmp
-
memory/1704-75-0x0000000000000000-mapping.dmp
-
memory/1728-70-0x0000000000000000-mapping.dmp
-
memory/1788-148-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1788-145-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1788-143-0x000000000040E80E-mapping.dmp
-
memory/1788-142-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1812-65-0x0000000000000000-mapping.dmp
-
memory/1856-123-0x0000000000000000-mapping.dmp
-
memory/1956-102-0x0000000000000000-mapping.dmp
-
memory/1956-140-0x00000000006C0000-0x00000000006D4000-memory.dmpFilesize
80KB
-
memory/1956-139-0x0000000004C80000-0x0000000004CD5000-memory.dmpFilesize
340KB
-
memory/1956-128-0x0000000000440000-0x000000000046D000-memory.dmpFilesize
180KB
-
memory/1956-112-0x0000000000C00000-0x0000000000C4E000-memory.dmpFilesize
312KB
-
memory/1956-111-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1956-108-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1996-62-0x0000000000000000-mapping.dmp